GitLab Resolves Critical Vulnerability (CVE-2023-5009) – Immediate Patch Required: GitLab, a widely used DevOps platform, has swiftly addressed a critical vulnerability, CVE-2023-5009, impacting both its Enterprise Edition (EE) and Community Edition (CE).
This flaw, discovered by software developer Johan Carlsson (joaxcar), had the potential to allow threat actors to misuse scan execution policies and execute pipelines on behalf of other users.
Key Takeaways to GitLab Resolves Critical Vulnerability:
Table of Contents
- GitLab has rapidly fixed a critical vulnerability, CVE-2023-5009, affecting its DevOps platform.
- The flaw could have enabled attackers to manipulate scan execution policies to run pipelines impersonating other users.
- Users are strongly advised to update to the patched versions or disable specific features if immediate upgrading is not feasible.
Mitigating CVE-2023-5009: A Deep Dive
The Vulnerability and Its Impact
GitLab’s CVE-2023-5009 is a critical vulnerability that has been swiftly addressed. It was unearthed in GitLab EE by Johan Carlsson (joaxcar) and affected versions from 13.12 to 16.2.7 and versions from 16.3 to 16.3.4.
Importantly, this flaw becomes exploitable when both the “direct transfers” and “security policies” features are enabled concurrently.
This vulnerability specifically relates to scan execution policies, which are instrumental in configuring built-in scanners for GitLab projects, such as static analysis and vulnerability scanning. These scanners operate within dedicated pipelines with predefined permissions.
The Bypass and Its Impact
The vulnerability essentially acted as a bypass for another previously discovered and resolved vulnerability, CVE-2023-3932.
This earlier flaw allowed unauthorized users to execute scans by altering the policy file’s author using the ‘git config’ command. Notably, the scan would be conducted under the identity of the policy file’s last committer, effectively acquiring the permissions of different users.
GitLab responded to this vulnerability by changing the mechanism for executing security scans and introducing a dedicated bot user with limited permissions.
However, it appears that threat actors could bypass this protection by removing the bot user from the group, thereby enabling the previous vulnerability’s execution flow.
Recommended Mitigation
To address CVE-2023-5009, GitLab has released fixed versions for both GitLab Community Edition (CE) and Enterprise Edition (EE). Users are strongly urged to upgrade to these patched versions as soon as possible. GitLab.com has already implemented the necessary updates.
In cases where immediate upgrading is not feasible, GitLab suggests disabling either or both of the “direct transfers” and “security policies” features.
This action can serve as a temporary mitigation until the system can be updated to the patched versions.
Conclusion
GitLab’s swift response to CVE-2023-5009 highlights the importance of promptly addressing critical vulnerabilities in DevOps platforms. Users are strongly encouraged to apply the patches or follow mitigation steps to safeguard their systems from potential threats.
About GitLab: GitLab is a prominent DevOps platform that provides a wide range of tools and services for software development, source code management, and collaboration. GitLab is known for its commitment to security and regularly releases updates to address vulnerabilities and enhance user protection.
