GitLab's recent critical security release addresses a vulnerability identified as CVE-2023-5009. This vulnerability, with a CVSS score of 9.6, posed a significant risk, particularly in the pipeline execution processes of GitLab's software. It affected versions before 16.2.7 of GitLab Enterprise Edition (EE) and versions before 16.3.4 of GitLab Community Edition (CE).
The CVE-2023-5009 vulnerability is notable for allowing an attacker to execute pipelines as another user, compromising the security of the projects hosted on GitLab. This flaw was a bypass of the earlier CVE-2023-3932 vulnerability.
The vulnerability could be exploited using a technique known as parameter pollution. Here's an illustrative example to demonstrate how an attacker might craft a malicious request:
POST /users/password HTTP/2
Host: gitlab.example.com
... [additional request headers] ...
Content-Type: application/x-www-form-urlencoded
authenticity_token=readactd&user[email][]=valid@email.com&user[email][]=akhil@strobes.co
In this hypothetical example, the attacker uses the user[email][] parameter multiple times, leading to an ambiguity in the request processing. This kind of exploitation could allow unauthorized access to Gitlab projects with exploited user permissions.
GitLab has released patches in the latest versions — 16.3.4 for Community Edition and 16.2.7 for Enterprise Edition. Users are strongly advised to upgrade to these versions for immediate mitigation.
If you are using a version prior to 16.2, there are additional considerations. The vulnerability is active only if both 'Direct Transfers' and 'Security Policies' features are enabled. As a workaround, disabling one or both of these features can mitigate the risk.
Besides the critical security fixes, the new versions of GitLab also include other non-security related improvements, such as a new indexer in version 16.3.4 and minor feature reversions in 16.2.7.
Given the severity and the potential impact of CVE-2023-5009, it is imperative for users and administrators of GitLab to update their instances to the latest versions as a priority. This action not only resolves the highlighted flaw but also fortifies the overall security posture against similar vulnerabilities in the future.
More details on CVE-2023-5009 - Learn more.
