GitLab users told to install emergency security fix immediately

2 months ago

Representational image depecting cybersecurity protection

(Image credit: Shutterstock)

GitLab has released a hole for a recently discovered information flaw, and is urging its users to instal instantly arsenic it addresses a high-severity vulnerability that tin origin each sorts of trouble.

In a information bulletin, GitLab said an attacker could maltreatment scan execution policies to tally pipelines (a bid of automated tasks) arsenic different user.

This flaw is now tracked arsenic CVE-2023-4998 and carries a severity people of 9.6. It impacts a mates of versions of nan software, namely GitLab Community Edition (CE) and Enterprise Edition (EE) versions 13.12 done 16.2.7, and versions 16.3 done 16.3.4.

According to a BleepingComputer report, a threat character could impersonate a personification without their knowledge and permission, and entree delicate accusation aliases tally malicious code, modify data, aliases trigger circumstantial events wrong nan GitLab system. Given that GitLab is simply a codification guidance platform, nan vulnerability could lead to intelligence spot theft, information leaks, proviso concatenation attacks, and more, nan publication claims.

Fixes and workarounds

"We powerfully urge that each installations moving a type affected by nan issues described beneath are upgraded to nan latest type arsenic soon arsenic possible,” GitLab said successful nan advisory.

The vulnerability, discovered by information interrogator Johan Carlsson, really stems from a erstwhile flaw that apparently wasn’t decently addressed. Last month, a vulnerability tracked arsenic VE-2023-3932 was recovered and patched. Back then, it was a medium-severity flaw. However, Carlsson recovered a measurement to activity astir nan fix, and moreover discovered that nan caller flaw carries moreover much weight (hence nan caller severity people of 9.6).

Users who tally GitLab versions older than 16.2 should make judge they don’t person “Direct transfers” and “Security policies” some turned on, arsenic that will make nan endpoint vulnerable. Users should person conscionable 1 turned astatine immoderate constituent successful time, nan advisory said.

GitLab tin beryllium updated via GitLab Runner packages from nan charismatic website.

More from TechRadar Pro

GitLab releases emergency information patch, tells users to update immediately
Here's a database of nan best endpoint protection services
Looking for a bully firewall? Here are nan best firewalls correct now

Sign up to nan TechRadar Pro newsletter to get each nan apical news, opinion, features and guidance your business needs to succeed!

Sead is simply a seasoned freelance journalist based successful Sarajevo, Bosnia and Herzegovina. He writes astir IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, information breaches, laws and regulations). In his career, spanning much than a decade, he’s written for galore media outlets, including Al Jazeera Balkans. He’s besides held respective modules connected contented penning for Represent Communications.

Source Networking