This Cybersecurity Threat Advisory highlights GitLab’s recent critical vulnerability, which security update have been released for. A successful exploitation can allow threat actors to mask themselves as other users during scheduled security scans while they run automated tasks (also known as pipelines). Barracuda MSP recommends applying the latest GitLab patches as soon as possible.
What is the threat?
The vulnerability discovered is currently being tracked as CVE-2023-5009. It appears to be a bypass of a different vulnerability reported and fixed in August known as CVE-2023-3932. As mentioned, CVE-2023-5009 could allow threat actors to run pipelines on the compromised system as other users after proper exploitation. This was discovered by researcher and bug hunter Johan Carlsson. The affected GitLab versions for this vulnerability include:
- GitLab Community Edition (CE) 13.12 to 16.2.7 and 16.3 to 16.3.4
- GitLab Enterprise Edition (EE) 13.12 to 16.2.7 and 16.3 to 16.3.4
Why is it noteworthy?
GitLab is an open-source software project management platform used globally. With a CVE score of 9.3 according to NIST’s National Vulnerability Database, it warrants action to be taken immediately.
What is the exposure or risk?
GitLab’s recent vulnerability can lead to significant exposure and/or risk for its customers. If exploited successfully, it may allow an attacker to impersonate users without their knowledge and run pipelines. This could result in threat actors accessing sensitive data and/or abuse the affected user’s account permissions to run code, modify data or even trigger automated events within GitLab.
What are the recommendations?
Barracuda MSP recommends the following actions to limit the impact of this GitLab vulnerability:
- Apply the latest patches available for GitLab.
- Perform an audit on user’s permissions within Gitlab.
- If using before version 16.2, avoid turning on the “Direct transfers” and “Security policies” settings to mitigate this issue.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions about this Cybersecurity Threat Advisory, please contact our Security Operations Center.