GitLab has released security updates to fix a serious bug that enables an attacker to utilize another user’s pipelines.
The problem, identified as CVE-2023-5009 (CVSS score: 9.6), affects all GitLab Enterprise Edition (EE) versions beginning with 13.12 and ending with 16.2.7 as well as beginning with 16.3 and ending with 16.3.4.
Through scheduled security scan policies, it was possible for an attacker to run pipelines as any user, according to a GitLab advisory. It stated, “This was a bypass of CVE-2023-3932 showing additional impact.” A successful CVE-2023-5009 exploitation might provide a threat actor access to confidential data, or they could utilize the impersonated user’s elevated permissions to change the source code or launch arbitrary code on the system, both of which could have disastrous effects.