Main Points:
- GitLab shipped patches to fix a potent security flaw (CVE-2023-5009)
- The flaw impacts all GitLab EE versions from 13.12 up to 16.2.7 and 16.3 up to 16.3.4
- Critical flaw allowed attackers to run pipelines as any user
GitLab, in a move faster than a system reboot, has dispatched security patches to iron out a daunting security flaw that could let an external attacker run pipelines pretending to be another user. Not even a well-written Python script can copy someone as brilliantly and problematically as this flaw could.
This loophole, officially labelled as CVE-2023-5009 (scoring an alarmingly high 9.6 on the CVSS scale), left its unwanted mark on all GitLab Enterprise Edition (or GitLab EE as the kids call it these days) versions starting from the old chap 13.12 and up until the young lad 16.2.7. It also extends its reach to versions 16.3 and anything before 16.3.4. That’s like saying it affected everything from the original Star Trek to The Next Generation!
The critical vulnerability gave attackers the potential to pull a real-life “mission impossible,” allowing them to run pipelines as just about any user via scheduling. This gave even “Casper the friendly ghost” a run for his money, making it possible for attackers to impersonate like a ghostly Halloween character (only much creepier and far less welcomed).
Summary:
In essence, GitLab was faced with a digital “Wolf in Sheep’s Clothing” scenario where an attacker had the ability to masquerade as another user and run pipelines. They swiftly confronted this by shipping vital security patches for a critical flaw, specifically CVE-2023-5009. This menace grasped numerous GitLab EE versions starting from 13.12. While the situation was as gloomy as forgetting your phone’s charger on a long trip, GitLab’s timely intervention plugged in the much-needed security “power bank.”
Original Article: https://thehackernews.com/2023/09/gitlab-releases-urgent-security-patches.html
