Gitlab Critical Security Release 16.3.4 and 16.2.7 (CVE-2023-5009)

9 views
Skip to first unread message

Shane Filus

unread,
Sep 20, 2023, 5:01:10 PM9/20/23
to cv-an...@trustedci.org

CI Operators:

GitLab has released v16.3.4 and v.16.2.7 [1] to address a critical security vulnerability. This affects both GitLab Community Edition (CE) and Enterprise Edition (EE). The issue is tracked as CVE-2023-5009 [2] and has a CVSS v3 score of 9.6.


Impact:

It is possible for an attacker to run pipelines as an arbitrary user via scheduled security scan policies.


Affected Software

  • GitLab 16.3 < v16.3.4

  • GitLab 13.12 < v16.2.7


Recommendation:

Update to the latest patched version of GitLab for your installation [3]. For versions prior to 16.2 that cannot be upgraded, you can mitigate this vulnerability by disabling one, or both, of the following features - Direct transfers [4] and/or Security policies [5]


References:

[1] https://about.gitlab.com/releases/2023/09/18/security-release-gitlab-16-3-4-released/

[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5009

[3] https://about.gitlab.com/update

[4] https://docs.gitlab.com/ee/administration/settings/import_and_export_settings.html#enable-migration-of-groups-and-projects-by-direct-transfer

[5] https://docs.gitlab.com/ee/user/application_security/policies/scan-execution-policies.html


How Trusted CI can help:

The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI cannot provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (https://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.

Reply all
Reply to author
Forward
0 new messages