Researchers have discovered vulnerability in GitLab’s armor that affects both GitLab Community Edition (CE) and Enterprise Edition (EE) spanning versions 13.12 to 16.2.7 and versions 16.3 to 16.3.4.
The vulnerability CVE-2023-4998, with a CVSS v3.1 score of 9.6, discovered as a sibling of a previously detected vulnerability, CVE-2023-3932, which was addressed in August. Despite the initial fix, researcher managed to find a bypass, proving that attackers could still exploit the vulnerability – hence raising its severity rating to critical.
With this vulnerability, the attackers could impersonate users without their consent, executing pipeline tasks and potentially accessing classified information, manipulating user data, or initiating specific events within GitLab. Given that GitLab is at the heart of many code management systems, this vulnerability could lead to intellectual property theft, significant data breaches, supply chain attacks, and other high-stakes threats.
Fortunately, GitLab has released the security updates to counteract the CVE-2023-4998 flaw. Users of the affected versions (specifically 16.3.4 and 16.2.7) are strongly urged to update their systems to the patched versions.
For those who are on older versions prior to 16.2, which remain unpatched, there’s a recommended workaround: ensure that both “Direct transfers” and “Security policies” aren’t activated concurrently. The bulletin emphasizes that if both these features are running simultaneously, the instance is vulnerable. Thus, as a precaution, activate them sequentially to shield your system.
The discovery was credited to the security researcher, Johan Carlsson