GitLab users are advised to immediately install the emergency fix. The reason for this is simple. A flaw has just been discovered on the platform, and the flaw in question could easily mean trouble for users of GitLab if nothing is done immediately.
GitLab Users Advised To Install Emergency Fix
GitLab has just released a fix for a newly spotted security flaw. And the company is now urging its users to install the fix immediately as it gets to address a really high-severity vulnerability that can cause all kinds of trouble in the long run.
GitLab in a security bulletin, stated that an attacker could abuse scan execution policies in a bid to run pipelines (this is a series of automated tasks) as yet another user.
Details of the Flaw Being Tracked
This flaw in question is now tracked as CVE-2023-4998 and it reportedly carries a severity score of 9.6. the flaw in question impacts a couple of versions of the software, which are namely GitLab Community Edition (CE) and Enterprise Edition (EE) versions 13.12 through 16.2.7, as well as versions 16.3 through 16.3.4.
What Users Should Know About a Threat Actor
According to a report from BleepingComputer, a threat actor as you should know could impersonate a user without their knowledge as well as permission, and can even get to access sensitive information or get to run malicious code, modify data, or trigger specific events within the system of GitLab. And given that GitLab is a code management platform, the vulnerability here could lead to intellectual property theft, data leaks, supply chain attacks, and many more, the publication reportedly claims.
“We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible,” GitLab in the advisory stated.
The Vulnerability Was Discovered By Security Researcher Johan Carlsson
The vulnerability in question that was discovered by security researcher Johan Carlsson actually stems from a prior flaw that apparently was not addressed properly. Just in the previous month, a vulnerability that was tracked as VE-2023-3932 was reportedly found and then patched. Back then, the vulnerability found it was a medium-severity flaw. However, Carlsson has found a way to work around the fix and has even discovered that the new flaw in question carries even more weight (hence the new severity score of 9.6).
What Users Are Advised To Do
Users who run GitLab versions that are older than 16.2 should make sure that they don’t have “Direct transfers” and “Security policies” both turned on simultaneously, as that in question will make the endpoint very much vulnerable. Users should have just one turned at any point in time, the advisory revealed.
GitLab for those that don’t know can be easily updated via GitLab Runner packages from the official website.
MORE RELATED POSTS