Gitlab has launched two patched releases, 16.2.7 and 16.3.4 for the Enterprise (EE) and Neighborhood (CE) editions of the DevOps platform in response to a crucial severity bug found by its HackerOne bug bounty program.
Dubbed CVE_2023-5009, with a CVSS rating of 9.6, the vulnerability permits an attacker to pose as an arbitrary person to run pipelines through scheduled scan insurance policies.
“A problem has been found in GitLab EE affecting all variations ranging from 13.12 earlier than 16.2.7 and all variations ranging from 16.3 earlier than 16.3.4,” Gitlab mentioned in an announcement. “We strongly suggest that each one installations operating a model affected by these points are upgraded to the most recent model as quickly as potential.”
The flaw is a bypass of one other bug from July, tracked below CVE-2023-3932, which allowed comparable attacker actions.
Vulnerability exploits scheduled safety scan insurance policies
It was potential for an attacker to run pipelines as an arbitrary person through scheduled safety scan insurance policies, Gitlab mentioned. A pipeline in Gitlab is a collection of automated steps or jobs which are executed each time adjustments are pushed to a Git repository.
The vulnerability could possibly be triggered through the scan execution coverage on the premise of who final made a commit on the coverage.yml file. The pipeline is triggered by a commit by an attacker who makes use of a sufferer username to push adjustments to coverage.yml as a sufferer.