Visible to the public "GitLab Urges Users to Install Security Updates for Critical Pipeline Flaw"Conflict Detection Enabled

GitLab has released security updates to address a vulnerability of critical severity that allows attackers to run pipelines as other users through scheduled security scan policies. The flaw, tracked as CVE-2023-5009 with a CVSS score of 9.6, impacts GitLab Community Edition (CE) and Enterprise Edition (EE) versions 13.12 through 16.2.7 and versions 16.3 through 16.3.4. Johan Carlsson, a security researcher and bug hunter, discovered the issue, which is a bypass of CVE-2023-3932, a medium-severity problem fixed in August. The researcher found a way to evade the implemented protections and showed an additional impact that elevated the flaw's severity rating to critical. Impersonating users without their knowledge or permission to execute pipeline tasks, which are a series of automated tasks, could result in attackers gaining access to sensitive data or abusing the impersonated user's permissions to run code, modify data, or activate specific events within the GitLab system. This article continues to discuss the critical pipeline flaw.

Bleeping Computer reports "GitLab Urges Users to Install Security Updates for Critical Pipeline Flaw"