GitLab warns of bug that allowed attacker to run pipelines as user

GitLab is warning users of a serious vulnerability that could allow attackers to execute pipelines as if they were users. For example, data could be stolen or code could be modified in repositories.

GitLab fixed the vulnerability in versions 16.3.4 and 16.2.7 of both Community Edition and Enterprise Edition. Only a bug fix has been implemented in those versions. That is a serious bug which is between all versions from 13.12 to 16.2.7 and all versions from 16.3 to 16.3.4.

The new vulnerability is related to a previous bug in GitLab, CVE-2023-3932. This was already fixed earlier in August in versions 16.2.3 and 13.11. That bug allowed an attacker to run a pipeline with the same permissions as any user. Such a pipeline is a command that describes what GitLab should do. Because it was possible to execute any kind of pipeline, an attacker could theoretically do a lot. This made it possible to exfiltrate data or code containing possible secrets, or code containing malware could be added to a repo. The new bug is a circumvention of that. It is tracked as CVE-2023-4998 and receives a CVSS score of 9.6.

Details about the bug are not yet public. The bug was discovered by researcher Johan Carlsson, who reported it through the bug bounty program HackerOne and received $29,000 for it. Details on HackerOne are not yet public. Carlsson also found the earlier bug, but now managed to find a workaround.