GitLab Users Advised to Update Against Critical Flaw ImmediatelyGitLab Users Advised to Update Against Critical Flaw Immediately
The bug has a CVSS score of 9.6 and allows unauthorized users to compromise private repositories.
September 20, 2023
GitLab users need to update their servers urgently to protect against a new critical flaw that could allow threat actors to run pipelines as other users and compromise private repositories.
The flaw, CVE-2023-5009, is in the scheduled security scan policies, according to GitLab, and is a bypass of another bug from July, tracked under CVE-2023-3932.
"We strongly recommend that all installations running a version affected by the issues ... are upgraded to the latest version as soon as possible," GitLab said.
Any user could potentially exploit the critical flaw by changing the policy file author with the "git config" command, according to Alex Ilgayev, head of security research at Cycode.
"The vulnerability is a bypass to another vulnerability reported and fixed one month ago, which allowed forging the identity of the policy file committer, hijacking the pipeline permissions, and gaining access to any users' private repositories," Ilgayev said. "While GitLab didn't release official information regarding the bypass, by inspecting the GitLab source code, the bypass seems to involve removing the bot user from the group and allowing the execution of the previous vulnerability flow again."
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
Passwords Are Passe: Next Gen Authentication Addresses Today's Threats
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks