Skip to content

TOPNews.MEDIA

Breaking news atomatic RSS aggregator

Menu
  • HOME
  • NEWS
  • CONTACT
Menu

GitLab urges users to install security updates for critical pipeline flaw

Posted on 19.09.2023

GitLab

GitLab has released security updates to address a critical severity vulnerability that allows attackers to run pipelines as other users via scheduled security scan policies.

GitLab is a popular web-based open-source software project management and work tracking platform, offering a free and commercial version.

The flaw was assigned CVE-2023-4998 (CVSS v3.1 score: 9.6) and impacts GitLab Community Edition (CE) and Enterprise Edition (EE) versions 13.12 through 16.2.7 and versions 16.3 through 16.3.4.

The issue was discovered by security researcher and bug hunter Johan Carlsson, who GitLab said is a bypass of a medium-severity problem tracked as CVE-2023-3932 that was fixed in August.

The researcher discovered a way to overcome the implemented protections and demonstrated an additional impact that raised the severity rating of the flaw to critical severity.

Impersonating users without their knowledge or permission to run pipeline tasks (a series of automated tasks) could result in the attackers accessing sensitive information or abusing the impersonated user’s permissions to run code, modify data, or trigger specific events within the GitLab system.

Considering that GitLab is used to manage code, such a compromise could result in loss of intellectual property, damaging data leaks, supply chain attacks, and other high-risk scenarios.

GitLab’s bulletin underlines the severity of the vulnerability, urging users to apply the available security updates promptly.

“We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.” – GitLab.

The versions that resolve CVE-2023-4998 are GitLab Community Edition and Enterprise Edition 16.3.4 and 16.2.7.

For users of versions before 16.2, which have not received fixes for the security issue, the proposed mitigation is to avoid having both “Direct transfers” and “Security policies” turned on.

If both features are active, the instance is vulnerable, warns the bulletin, so users are advised to turn them on one at a time.

Users can update GitLab from here or obtain GitLab Runner packages from this official webpage.

Source link

Tags

Adobe Apple Apple Computer Apple Computer Inc. Apple Inc Apple TV App Store article_normal Content Types corporate Corporate/Industrial News dailymail Factiva Filters Gizmodo Google iBook i mac iMac industrial news Intel ios 9 ios9 iPad iPhone iphone 6 iphone 6s iPod classic iPod nano iPod shuffle iPod touch iTunes iTunes Store MacBook Pro mac os x mac osx Mac Pro Magic Mouse Magic Pad Microsoft money Nvidia Samsung SYND Technology WSJ-PRO-WSJ.com

RSS USA TOPNews.MEDIA

  • Can the new WRC computer game help tackle a real-world hot topic?
  • Chiefs-Jets ticket prices jolted by the Taylor Swift Effect

RSS UK TOPNews.MEDIA

  • Man shot outside primary school by gang thugs 'hunting in pack'
  • Jürgen Klopp has found 'dominant' Liverpool ace who could prove to be transfer masterstroke

RSS CANADA TOPNews.MEDIA

  • Veteran Olympic speedskater Ivanie Blondin dons short blades again
  • Poll says most Albertans oppose pause on renewable energy approvals

RSS France TOPNews.MEDIA

  • Région | Marseille. Surcharge, insécurité, rats… Les parents de l’école Capelette expriment leur ras-le-bol
  • Wat is het weekbudget van de student? “Ik werk in het weekend omdat ik anders niet rondkom” (Gent)

RSS ASIA TOPNews.MEDIA

  • Rumah Tangga Irish Bella dengan Ammar Zoni Retak? Kuasa Hukum Beberkan Fakta Sebenarnya
  • Anggota Dewan Dukung Pertamina Geothermal Pimpin Gerakan Energi Bersih Ramah Lingkungan 
©2023 TOPNews.MEDIA | Design: Newspaperly WordPress Theme