GitLab users need to update their servers urgently to protect against a new critical flaw that could allow threat actors to run pipelines as other users and compromise private repositories.
The flaw, CVE-2023-5009, is in the scheduled security scan policies, according to GitLab, and is a bypass of another bug from July, tracked under CVE-2023-3932.
“We strongly recommend that all installations running a version affected by the issues … are upgraded to the latest version as soon as possible,” GitLab said.
Any user could potentially exploit the critical flaw by changing the policy file author with the “got config” command, according to Alex Ilgayev, head of security research at Cycode.
“The vulnerability is a bypass to another vulnerability reported and fixed one month ago, which allowed forging the identity of the policy file committer, hijacking the pipeline permissions, and gaining access to any users’ private repositories,” Ilgayev said. “While GitLab didn’t release official information regarding the bypass, by inspecting the GitLab source code, the bypass seems to involve removing the bot user from the group and allowing the execution of the previous vulnerability flow again.”