GitLab is warning users to patch GitLab Enterprise Edition instances against a critical vulnerability.
In its advisory, the organisation said the vulnerability, given the identifier CVE-2023-5009, allows an attacker to abuse the software’s scheduled security scan policies to “run pipelines as an arbitrary user”.
The vulnerability has a common vulnerabilities scoring system (CVSS) rating of 9.8.
An instance is vulnerable if it has two features enabled: direct transfers, and security policies.
Direct transfers is a feature that enables migration of groups and projects by direct transfer; while security policies supports scans running either to schedule, or within a project’s pipeline.
Users who can’t upgrade are urged to disable these features.
The vulnerability affect “all versions starting from 13.12 before 16.2.7 and all versions starting from 16.3 before 16.3.4”.
GitLab’s advisory noted that the bug arises from a bypass of a patch for a previous, nearly-identical vulnerability, CVE-2023-3932, which has a CVSS score of 6.5 and was patched in August.
The latest bug was reported via HackerOne by Johan Carlsson (joaxcar).