GitLab Rolls Out Emergency Security Update for Critical Pipeline Vulnerability

GitLab, a popular web-based open-source platform for software project management and work tracking, has rolled out emergency security updates to fix a critical vulnerability that could affect millions of users.

The vulnerability, tagged as CVE-2023-4998, carries a CVSS v3.1 score of 9.6 and affects the GitLab Community Edition (CE) and Enterprise Edition (EE) versions ranging between 13.12 and 16.2.7, and versions 16.3 through 16.3.4.

The vulnerability was discovered by security researcher Johan Carlsson. In August, GitLab had identified and fixed a medium-severity issue, tracked as CVE-2023-3932.

However, Carlsson found a new method to bypass existing protections and identified additional impacts that escalated the vulnerability's severity from medium to critical.

Risks and Implications

By exploiting this critical vulnerability, attackers can covertly impersonate users and execute pipeline tasks. Pipeline tasks are a series of automated operations that, if compromised, could lead to the perpetrator gaining access to sensitive information.

Attackers could also abuse the victim's permissions to run code, trigger specific events or alter data.

The risks associated with this flaw are significant, considering that GitLab is a hub for code management and collaboration. Threat actors could engage in intellectual property theft, data leaks, and even supply chain attacks.

GitLab's Recommendation

GitLab has issued a clear warning about the urgency of addressing this issue.

"We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible," the company stated in a bulletin.

To protect against CVE-2023-4998, users are advised to install GitLab Community Edition and Enterprise Edition 16.3.4 and 16.2.7.

For those running versions prior to 16.2, GitLab recommends avoiding the concurrent enabling of "Security policies" and "Direct transfers" features. Enabling both features simultaneously leaves the system vulnerable to attacks that exploit this critical vulnerability.