GitLab Users Advised to Update Against Critical Flaw Immediately

The bug has a CVSS score of 9.6 and allows unauthorized users to compromise private repositories.

1 Min Read
GitLab origami-style fox head logo on black background
Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

GitLab users need to update their servers urgently to protect against a new critical flaw that could allow threat actors to run pipelines as other users and compromise private repositories.

The flaw, CVE-2023-5009, is in the scheduled security scan policies, according to GitLab, and is a bypass of another bug from July, tracked under CVE-2023-3932.

"We strongly recommend that all installations running a version affected by the issues ... are upgraded to the latest version as soon as possible," GitLab said.

Any user could potentially exploit the critical flaw by changing the policy file author with the "git config" command, according to Alex Ilgayev, head of security research at Cycode.

"The vulnerability is a bypass to another vulnerability reported and fixed one month ago, which allowed forging the identity of the policy file committer, hijacking the pipeline permissions, and gaining access to any users' private repositories," Ilgayev said. "While GitLab didn't release official information regarding the bypass, by inspecting the GitLab source code, the bypass seems to involve removing the bot user from the group and allowing the execution of the previous vulnerability flow again."

About the Author

Becky Bracken, Senior Editor, Dark Reading

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights