It was possible for an attacker to run pipelines as an arbitrary user via scheduled security scan policies. Credit: Bernard Dupont Gitlab has released two patched releases, 16.2.7 and 16.3.4 for the Enterprise (EE) and Community (CE) editions of the DevOps platform in response to a critical severity bug discovered through its HackerOne bug bounty program. Dubbed CVE_2023-5009, with a CVSS score of 9.6, the vulnerability allows an attacker to pose as an arbitrary user to run pipelines via scheduled scan policies. "An issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.2.7 and all versions starting from 16.3 before 16.3.4," Gitlab said in a statement. "We strongly recommend that all installations running a version affected by these issues are upgraded to the latest version as soon as possible." The flaw is a bypass of another bug from July, tracked under CVE-2023-3932, which allowed similar attacker activities. Vulnerability exploits scheduled security scan policies It was possible for an attacker to run pipelines as an arbitrary user via scheduled security scan policies, Gitlab said. A pipeline in Gitlab is a series of automated steps or jobs that are executed whenever changes are pushed to a Git repository. The vulnerability could be triggered via the scan execution policy on the basis of who last made a commit on the policy.yml file. The pipeline is triggered through a commit by an attacker who uses a victim username to push changes to policy.yml as a victim. As the author of the triggered pipeline, the attacker has access to all of the victim's repositories and private codes. All this is done without any user interaction and the only pre-requisite is the victim's Gitlab username and names of the internal or member-only projects with codes. Trigger has configuration needs Instances running versions starting from 13.12 before 16.2.7, and all versions starting from 16.3 before 16.3.4 are vulnerable given two features are enabled at the same time on the DevOps platform -- Direct transfers and Security Policies, according to Gitlab. "In order to mitigate this vulnerability in situations where it’s not possible to upgrade, it is required to disable one or both features," Gitlab added. Gitlab has advised users to quickly update to security releases 16.3.4 and 16.2.7 which also include a few non-security patches. GitLab.com is already running the patched version, the company added. Related content news analysis Attackers breach US government agencies through ColdFusion flaw Both incidents targeted outdated and unpatched ColdFusion servers and exploited a known vulnerability. By Lucian Constantin Dec 06, 2023 5 mins Advanced Persistent Threats Advanced Persistent Threats Advanced Persistent Threats news BSIMM 14 finds rapid growth in automated security technology Embrace of a "shift everywhere" philosophy is driving a demand for automated, event-driven software security testing. By John P. Mello Jr. Dec 06, 2023 4 mins Application Security Network Security news Almost 50% of organizations plan to reduce cybersecurity headcounts: Survey While organizations are realizing the need for knowledgeable teams to address unknown threats, they are also looking to reduce their security headcount and infrastructure spending. By Gagandeep Kaur Dec 06, 2023 4 mins IT Jobs Security Practices feature 20 years of Patch Tuesday: it’s time to look outside the Windows when fixing vulnerabilities After two decades of regular and indispensable updates, it’s clear that security teams need take a more holistic approach to applying fixes far beyond the Microsoft ecosystem. By Susan Bradley Dec 06, 2023 6 mins Patch Management Software Threat and Vulnerability Management Windows Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe