Update your installations as soon as possible to avoid attacks on the supply chain.
released GitLab security updates to address a critical vulnerability that allows attackers to run pipelines on behalf of other users through scheduled security policies.
The vulnerability was identified as CVE-2023-4998 with a severity rating of 9.6 on the CVSS v3.1 scale.The problem affects GitLab Community Edition (CE) and Enterprise Edition (EE) versions from 13.12 to 16.2.7 and from 16.3 to 16.3.4.
The discovery of the vulnerability is attributed to security researcher and "bug hunter" Johan Karlsson. According to GitLab, the vulnerability is a workaround for a medium-critical issue tracked as CVE-2023-3932, which was patched in August.
Karlsson was able to bypass the implemented security measures and demonstrated an additional level of threats, which raised the assessment of the severity of the problem to critical.
The ability of attackers to impersonate other users and run pipelines can lead to unauthorized access to confidential information, as well as abuse of user permissions in the GitLab system. This, in turn, can lead to loss of intellectual property, data leaks, supply chain attacks, and other high-risk scenarios.
The GitLab newsletter highlights the severity of the vulnerability and encourages users to apply available security updates as soon as possible.
"We strongly recommend that all installations running on versions affected by the described issues update to the latest version as soon as possible," GitLab said in a statement.
A solution to the problem is available in GitLab Community Edition and Enterprise Edition versions 16.3.4 and 16.2.7. For users of versions prior to 16.2 who have not yet received a fix, please do not activate the "Direct Transfers" and "Security Policies"functions at the same time. If both functions are active, the instance is vulnerable, the developers warn.
You can update GitLab here, and get the GitLab Runner packages here.
released GitLab security updates to address a critical vulnerability that allows attackers to run pipelines on behalf of other users through scheduled security policies.
The vulnerability was identified as CVE-2023-4998 with a severity rating of 9.6 on the CVSS v3.1 scale.The problem affects GitLab Community Edition (CE) and Enterprise Edition (EE) versions from 13.12 to 16.2.7 and from 16.3 to 16.3.4.
The discovery of the vulnerability is attributed to security researcher and "bug hunter" Johan Karlsson. According to GitLab, the vulnerability is a workaround for a medium-critical issue tracked as CVE-2023-3932, which was patched in August.
Karlsson was able to bypass the implemented security measures and demonstrated an additional level of threats, which raised the assessment of the severity of the problem to critical.
The ability of attackers to impersonate other users and run pipelines can lead to unauthorized access to confidential information, as well as abuse of user permissions in the GitLab system. This, in turn, can lead to loss of intellectual property, data leaks, supply chain attacks, and other high-risk scenarios.
The GitLab newsletter highlights the severity of the vulnerability and encourages users to apply available security updates as soon as possible.
"We strongly recommend that all installations running on versions affected by the described issues update to the latest version as soon as possible," GitLab said in a statement.
A solution to the problem is available in GitLab Community Edition and Enterprise Edition versions 16.3.4 and 16.2.7. For users of versions prior to 16.2 who have not yet received a fix, please do not activate the "Direct Transfers" and "Security Policies"functions at the same time. If both functions are active, the instance is vulnerable, the developers warn.
You can update GitLab here, and get the GitLab Runner packages here.
