GitLab has delivered security patches to solve a critical flaw that lets an attacker to operate pipelines as a further user.
The issue, tracked as CVE-2023-5009 (CVSS rating: 9.6), impacts all versions of GitLab Company Edition (EE) setting up from 13.12 and prior to 16.2.7 as nicely as from 16.3 and in advance of 16.3.4.
“It was doable for an attacker to operate pipelines as an arbitrary consumer by means of scheduled security scan guidelines,” GitLab claimed in an advisory. “This was a bypass of CVE-2023-3932 showing more impression.”
Prosperous exploitation of CVE-2023-5009 could make it possible for a risk actor to entry sensitive details or leverage the elevated permissions of the impersonated consumer to modify resource code or operate arbitrary code on the procedure, top to critical repercussions.
Security researcher Johan Carlsson (aka joaxcar) has been credited with getting and reporting the flaw. CVE-2023-3932 was resolved by GitLab in early August 2023.
The vulnerability has been dealt with in GitLab variations 16.3.4 and 16.2.7.
Upcoming WEBINARLevel-Up SaaS Security: A Comprehensive Manual to ITDR and SSPM
Continue to be forward with actionable insights on how ITDR identifies and mitigates threats. Find out about the indispensable function of SSPM in ensuring your identification stays unbreachable.
Supercharge Your Expertise
The disclosure arrives as a two-yr-outdated critical GitLab bug (CVE-2021-22205, CVSS rating: 10.) carries on to be actively exploited by danger actors in serious-planet attacks.
Earlier this 7 days, Trend Micro exposed that a China-joined adversary regarded as Earth Lusca is aggressively targeting community-experiencing servers by weaponizing N-day security flaws, including CVE-2021-22205, to infiltrate victim networks.
It is really highly advised that people update their GitLab installations to the latest version as before long as feasible to safeguard towards possible hazards.
Found this article exciting? Comply with us on Twitter and LinkedIn to study more special material we submit.
Some sections of this post are sourced from: