GitLab, a widely used web-based open-source software project management and collaboration platform, has released critical security updates to address a severe vulnerability that exposes users to the risk of having their pipelines executed by attackers via scheduled security scan policies.
Furthermore, this vulnerability, assigned CVE-2023-4998 with a high CVSS v3.1 score of 9.6, affects GitLab Community Edition (CE) and Enterprise Edition (EE) versions 13.12 through 16.2.7, as well as versions 16.3 through 16.3.4.
The security flaw was initially categorized as a medium-severity issue (CVE-2023-3932) and was previously fixed in August. However, security researcher Johan Carlsson discovered a way to bypass the implemented protections, effectively escalating the severity of the vulnerability to critical.
By exploiting this flaw, attackers can impersonate users and execute pipeline tasks, potentially gaining access to sensitive information or abusing the impersonated user’s privileges to manipulate data or trigger specific actions within the GitLab system.
Considering that GitLab is a platform used for code management, a successful compromise could lead to severe consequences such as intellectual property theft, data breaches, supply chain attacks, and other high-risk scenarios.
GitLab has strongly urged all users to apply the provided security updates immediately to address this vulnerability. The versions that resolve CVE-2023-4998 are GitLab Community Edition and Enterprise Edition 16.3.4 and 16.2.7, and users of earlier versions are advised to take precautionary measures to mitigate the risk.
