GitLab fixes critical vulnerability, patch now! (CVE-2023-5009)
GitLab has fixed a critical vulnerability (CVE-2023-5009) in the Enterprise Edition (EE) and Community Edition (CE) of its widely used DevOps platform. The flaw may allow a threat actor to abuse scan execution policies to run pipelines as another user.
About the vulnerability (CVE-2023-5009)
CVE-2023-5009 – discovered by software developer and bug hunter Johan Carlsson (joaxcar) in GitLab EE – affects all versions starting from 13.12 before 16.2.7 and all versions starting from 16.3 before 16.3.4, IF the “direct transfers” and “security policies” features are enabled at the same time.
“Scan execution policy allows configuring built-in scanners for GitLab projects, such as static analysis and vulnerability scanning. These scanners are running in dedicated pipelines with a predefined set of permissions,” Alex Ilgayev, head of security research at Cycode told Help Net Security.
The vulnerability is a bypass to another vulnerability (CVE-2023-3932) reported and fixed one month ago.
“According to the GitLab issue tracker and source code, any user can easily exploit that vulnerability by changing the policy file author using the ‘git config’ command. The scan is done through the identity of the policy file’s last committer, effectively gaining the permissions of arbitrary users,” Ilgayev added.
“Since then, GitLab updated the mechanism to execute these security scans using a dedicated bot user with limited permissions. While GitLab didn’t release official information regarding the bypass, by inspecting the GitLab source code, the bypass seems to involve removing the bot user from the group and allowing the execution of the previous vulnerability flow again.”
Mitigation
GitLab has released fixed versions for GitLab Community Edition (CE) and Enterprise Edition (EE).
“We strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version,” said Nick Malcolm, senior application security engineer at GitLab.
If an upgrade is impossible, Malcolm advised disabling the “direct transfers” or “security policies” feature (or both).
Earlier this year, GitLab addressed security issues CVE-2022-41903 and CVE-2022-23521 in Git that affected its Community Edition and Enterprise Edition.