GitLab Urges Users to Install Security Updates for Critical Pipeline Flaw
"We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible." - GitLab.
- "GitLab has released security updates to address a critical severity vulnerability that allows attackers to run pipelines as other users via scheduled security scan policies."
- "The flaw was assigned CVE-2023-5009 (CVSS v3.1 score: 9.6) and impacts GitLab Community Edition (CE) and Enterprise Edition (EE) versions 13.12 through 16.2.7 and versions 16.3 through 16.3.4."
- "Impersonating users without their knowledge or permission to run pipeline tasks (a series of automated tasks) could result in the attackers accessing sensitive information or abusing the impersonated user's permissions to run code, modify data, or trigger specific events within the GitLab system."
- "For users of versions before 16.2, which have not received fixes for the security issue, the proposed mitigation is to avoid having both "Direct transfers" and "Security policies" turned on."
- "Users can update GitLab from here or obtain GitLab Runner packages from this official webpage."
