GitLab has released security updates to address a critical vulnerability that allows attackers to launch the Payplane on behalf of other users through planned security policy, according to a post on their website.
The vulnerability, with the identifier CVE-2023-4998, has a severity rating of 9.6 on the CVSS V3 scale. It affects GitLab Community Edition (CE) and Enterprise Edition (EE) versions from 13.12 to 16.2.7 and from 16.3 to 16.3.4.
The security researcher and “bughum hunter,” Johan Karlsson, discovered the vulnerability. GitLab states that the vulnerability is a bypass issue of an average criticality problem, monitored as CVE-2023-3932, which was fixed in August.
Karlsson was able to bypass the implemented protection measures and demonstrated an additional level of threats, leading to an increased severity rating of the problem. The ability to impersonate other users and launch the Payplane can result in unauthorized access to confidential information and abuse of user permissions in the GitLab system. This can potentially lead to the loss of intellectual property, data leaks, attacks on the supply chain, and other high-risk scenarios.
GitLab is urging users to apply the available security updates as soon as possible. They state, “We strongly recommend that all instances operating on the versions affected by the described issues update to the latest version as soon as possible,” in a message on their website.
The solution to the problem is available in GitLab Community Edition and Enterprise Edition versions 16.3.4 and 16.2.7. For users on versions prior to 16.2, who have not yet received the fixes, it is advised not to activate the “direct transfers”