GitLab Releases Pressing Safety Patches for Crucial Vulnerability

Sep 20, 2023THNVulnerability / Software program Safety

GitLab has shipped safety patches to resolve a essential flaw that enables an attacker to run pipelines as one other consumer.

The difficulty, tracked as CVE-2023-5009 (CVSS rating: 9.6), impacts all variations of GitLab Enterprise Version (EE) ranging from 13.12 and previous to 16.2.7 in addition to from 16.3 and earlier than 16.3.4.

“It was doable for an attacker to run pipelines as an arbitrary consumer through scheduled safety scan insurance policies,” GitLab said in an advisory. “This was a bypass of CVE-2023-3932 exhibiting extra impression.”

Profitable exploitation of CVE-2023-5009 might enable a risk actor to entry delicate info or leverage the elevated permissions of the impersonated consumer to switch supply code or run arbitrary code on the system, resulting in extreme penalties.

Safety researcher Johan Carlsson (aka joaxcar) has been credited with discovering and reporting the flaw. CVE-2023-3932 was addressed by GitLab in early August 2023.

The brand new vulnerability has been remediated in GitLab variations 16.3.4 and 16.2.7.


AI vs. AI: Harnessing AI Defenses Against AI-Powered Risks

Able to deal with new AI-driven cybersecurity challenges? Be part of our insightful webinar with Zscaler to handle the rising risk of generative AI in cybersecurity.

Supercharge Your Skills

The disclosure comes as a two-year-old essential GitLab bug (CVE-2021-22205CVSS rating: 10.0) continues to be actively exploited by risk actors in real-world assaults.

Earlier this week, Development Micro revealed {that a} China-linked adversary referred to as Earth Lusca is aggressively focusing on public-facing servers by weaponizing N-day safety flaws, together with CVE-2021-22205, to infiltrate sufferer networks.

It is extremely advisable that customers replace their GitLab installations to the newest model as quickly as doable to safeguard towards potential dangers.

Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we publish.

Author: (The Hacker Information)
Date: 2023-09-20 03:18:00

Source link



Related articles

Alina A, Toronto
Alina A, Toronto
Alina A, an UofT graduate & Google Certified Cyber Security analyst, currently based in Toronto, Canada. She is passionate for Research and to write about Cyber-security related issues, trends and concerns in an emerging digital world.


Please enter your comment!
Please enter your name here