GitLab has released security patches to address a critical vulnerability that allows threat actors to run pipeline jobs as any user through scheduled security scan policies.
Description
GitLab Enterprise Edition (EE) versions 13.12 to 16.2.7 and versions 16.3 to 16.3.4 are affected by a flaw that enables threat actors to change the policy file author using a specific command. This allows them to hijack pipeline permissions and gain access to private repositories [3]. Exploiting this vulnerability can lead to unauthorized access to sensitive information, source code modification, or execution of arbitrary code [4]. The security researcher Johan Carlsson (aka joaxcar) discovered and reported this flaw on September 19, 2023, through the GitLab HackerOne bug bounty program [1]. GitLab strongly recommends updating to the latest version to mitigate the risk [3]. To reduce the risk [1], users are advised not to enable both the ‘Direct Transfers’ and ‘Security Policies’ features concurrently on earlier versions of GitLab [1]. The impact of this bypass is significant [2] [5], with a base score of 9.6 [5]. More information can be found in the GitLab issue and the HackerOne report [5].
Conclusion
This vulnerability in GitLab EE versions 13.12 to 16.2.7 and versions 16.3 to 16.3.4 allows threat actors to run pipeline jobs as any user by exploiting scheduled security scan policies [6], bypassing CVE-2023-3932 [2] [3] [5] [6]. The impact of this vulnerability is significant, with potential unauthorized access to sensitive information [4], source code manipulation, and execution of arbitrary code [4]. GitLab has released security patches and strongly advises users to update to the latest version to mitigate the risk. It is also recommended to avoid enabling both the ‘Direct Transfers’ and ‘Security Policies’ features concurrently on earlier versions of GitLab [1]. This incident highlights the importance of regular security updates and the need for vigilance in protecting sensitive data and source code.
References
[1] http://en.hackdig.com/09/526266.htm
[2] https://nvd.nist.gov/vuln/detail/CVE-2023-5009
[3] https://www.darkreading.com/application-security/gitlab-users-advised-to-patch-critical-flaw-immediately
[4] https://thehackernews.com/2023/09/gitlab-releases-urgent-security-patches.html
[5] https://www.tenable.com/cve/CVE-2023-5009
[6] https://vulners.com/cve/CVE-2023-5009
