GitLab has delivered security patches to resolve a critical flaw that lets an attacker to run pipelines as a further user.
The issue, tracked as CVE-2023-5009 (CVSS score: 9.6), impacts all variations of GitLab Business Edition (EE) starting off from 13.12 and prior to 16.2.7 as well as from 16.3 and before 16.3.4.
“It was attainable for an attacker to run pipelines as an arbitrary user via scheduled security scan policies,” GitLab stated in an advisory. “This was a bypass of CVE-2023-3932 displaying added impression.”
Successful exploitation of CVE-2023-5009 could make it possible for a menace actor to access delicate facts or leverage the elevated permissions of the impersonated person to modify source code or operate arbitrary code on the system, main to extreme consequences.
Security researcher Johan Carlsson (aka joaxcar) has been credited with exploring and reporting the flaw. CVE-2023-3932 was addressed by GitLab in early August 2023.
The vulnerability has been tackled in GitLab variations 16.3.4 and 16.2.7.
Future WEBINARLevel-Up SaaS Security: A Complete Manual to ITDR and SSPM
Stay forward with actionable insights on how ITDR identifies and mitigates threats. Master about the indispensable role of SSPM in making sure your identity stays unbreachable.
Supercharge Your Expertise
The disclosure will come as a two-calendar year-aged critical GitLab bug (CVE-2021-22205, CVSS score: 10.) proceeds to be actively exploited by menace actors in serious-world assaults.
Earlier this week, Development Micro unveiled that a China-linked adversary regarded as Earth Lusca is aggressively focusing on public-going through servers by weaponizing N-working day security flaws, such as CVE-2021-22205, to infiltrate victim networks.
It can be remarkably proposed that people update their GitLab installations to the most up-to-date variation as shortly as probable to safeguard from prospective dangers.
Discovered this post exciting? Abide by us on Twitter and LinkedIn to read far more unique content we publish.
Some parts of this article are sourced from:
thehackernews.com