CI Operators:
GitLab has released v16.7.2 [1] to address two critical security vulnerabilities and one high security vulnerability. One vulnerability (CVE-2023-7028) has a CVSSv3 score of 10.0 and should be patched immediately. This affects both GitLab Community Edition (CE) and Enterprise Edition (EE).
Impact:
Affected Software:
Recommendation:
Upgrade to the latest patched version of GitLab for your installation [5]. Enable two-factor authentication [6] for all GitLab accounts, especially for administrators.
References:
[1] https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7028
[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5356
[4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4812
[5] https://about.gitlab.com/releases/categories/releases/
[6] https://docs.gitlab.com/ee/security/two_factor_authentication.html
How Trusted CI can help:
The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI cannot provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (https://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.