Gitlab has released two patched releases, 16.2.7 and 16.3.4 for the Enterprise (EE) and Community (CE) editions of the DevOps platform in response to a critical severity bug discovered through its HackerOne bug bounty program.\n\nDubbed CVE_2023-5009, with a CVSS score of 9.6, the vulnerability allows an attacker to pose as an arbitrary user to run pipelines via scheduled scan policies.\n\n\u201cAn issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.2.7 and all versions starting from 16.3 before 16.3.4,\u201d Gitlab said in a statement. \u201cWe strongly recommend that all installations running a version affected by these issues are upgraded to the latest version as soon as possible.\u201d\n\nThe flaw is a bypass of another bug from July, tracked under CVE-2023-3932, which allowed similar attacker activities.\n\nVulnerability exploits scheduled security scan policies\n\nIt was possible for an attacker to run pipelines as an arbitrary user via scheduled security scan policies, Gitlab said. A pipeline in Gitlab is a series of automated steps or jobs that are executed whenever changes are pushed to a Git repository.\n\nThe vulnerability could be triggered via the scan execution policy on the basis of who last made a commit on the policy.yml file. The pipeline is triggered through a commit by an attacker who uses a victim username to push changes to policy.yml as a victim.\n\nAs the author of the triggered pipeline, the attacker has access to all of the victim\u2019s repositories and private codes. All this is done without any user interaction and the only pre-requisite is the victim\u2019s Gitlab username and names of the internal or member-only projects with codes.\n\nTrigger has configuration needs\n\nInstances running versions starting from 13.12 before 16.2.7, and all versions starting from 16.3 before 16.3.4 are vulnerable given two features are enabled at the same time on the DevOps platform \u2014 Direct transfers and Security Policies, according to Gitlab.\n\n\u201cIn order to mitigate this vulnerability in situations where it's not possible to upgrade, it is required to disable one or both features,\u201d Gitlab added.\n\nGitlab has advised users to quickly update to security releases 16.3.4 and 16.2.7 which also include a few non-security patches. GitLab.com is already running the patched version, the company added.