GitLab has shipped safety patches to resolve a essential flaw that enables an attacker to run pipelines as one other consumer.
The difficulty, tracked as CVE-2023-5009 (CVSS rating: 9.6), impacts all variations of GitLab Enterprise Version (EE) ranging from 13.12 and previous to 16.2.7 in addition to from 16.3 and earlier than 16.3.4.
“It was doable for an attacker to run pipelines as an arbitrary consumer through scheduled safety scan insurance policies,” GitLab said in an advisory. “This was a bypass of CVE-2023-3932 exhibiting extra impression.”
Profitable exploitation of CVE-2023-5009 might enable a risk actor to entry delicate info or leverage the elevated permissions of the impersonated consumer to switch supply code or run arbitrary code on the system, resulting in extreme penalties.
Safety researcher Johan Carlsson (aka joaxcar) has been credited with discovering and reporting the flaw. CVE-2023-3932 was addressed by GitLab in early August 2023.
The brand new vulnerability has been remediated in GitLab variations 16.3.4 and 16.2.7.
AI vs. AI: Harnessing AI Defenses Against AI-Powered Risks
Able to deal with new AI-driven cybersecurity challenges? Be part of our insightful webinar with Zscaler to handle the rising risk of generative AI in cybersecurity.
The disclosure comes as a two-year-old essential GitLab bug (CVE-2021-22205CVSS rating: 10.0) continues to be actively exploited by risk actors in real-world assaults.
Earlier this week, Development Micro revealed {that a} China-linked adversary referred to as Earth Lusca is aggressively focusing on public-facing servers by weaponizing N-day safety flaws, together with CVE-2021-22205, to infiltrate sufferer networks.
It is extremely advisable that customers replace their GitLab installations to the newest model as quickly as doable to safeguard towards potential dangers.
Author: data@thehackernews.com (The Hacker Information)
Date: 2023-09-20 03:18:00