Critical Vulnerability in GitLab Allows Unauthorized User Access

A security release has been published by Gitlab to correct updates of the platform in order to organize joint development. The release, Gitlab 16.3.4 and 16.2.7 (Community Edition and Enterprise Edition), addresses a critical vulnerability (CVE-2023-4998) that allows for launching work in the continuous integration conveyor under an arbitrary user through the use of planned security scan policy. Exploiting this vulnerability allows attackers to gain access to internal repositories and closed projects of the user.

The information regarding the vulnerability was transmitted to Gitlab as part of the payment programs in place for vulnerability detection. This vulnerability affects the Gitlab Enterprise Edition editors and the cloud service Gitlab.com. Detailed information about the operation of the vulnerability will be published a month after the update is released. It is known that the vulnerability is a variation of previously fixed similar problems (previously fixed) such as CVE-2023-3932 (cve-2023-3932).

/Reports, release notes, official announcements.