GitLab customers must replace their servers urgently to guard towards a brand new important flaw that would enable menace actors to run pipelines as different customers and compromise non-public repositories.
The flaw, CVE-2023-5009, is within the scheduled safety scan insurance policies, in accordance with GitLab, and is a bypass of one other bug from July, tracked below CVE-2023-3932.
“We strongly advocate that every one installations operating a model affected by the problems … are upgraded to the newest model as quickly as doable,” GitLab stated.
Any consumer may doubtlessly exploit the important flaw by altering the coverage file creator with the “acquired config” command, in accordance with Alex Ilgayev, head of safety analysis at Cycode.
“The vulnerability is a bypass to a different vulnerability reported and stuck one month in the past, which allowed forging the identification of the coverage file committer, hijacking the pipeline permissions, and getting access to any customers’ non-public repositories,” Ilgayev stated. “Whereas GitLab did not launch official info concerning the bypass, by inspecting the GitLab supply code, the bypass appears to contain eradicating the bot consumer from the group and permitting the execution of the earlier vulnerability circulate once more.”