Security Scan Bypass Vulnerability Affects GitLab EE Versions
CVE-2023-5009

9.8CRITICAL

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 19 September 2023

Badges

📰 News Worthy

Summary

A vulnerability has been identified in GitLab EE that allows attackers to execute pipeline jobs as an arbitrary user through scheduled security scan policies. This issue affects multiple versions of GitLab EE, enabling unauthorized actions that exploit a bypass related to previous vulnerabilities. This incident highlights the importance of monitoring security protocols and updating systems promptly to mitigate potential threats.

Affected Version(s)

GitLab 13.12 < 16.2.7

GitLab 16.3 < 16.3.4

News Articles

Security Affairs

GitLab addressed critical vulnerability CVE-2023-5009

GitLab rolled out security patches to address a critical flaw (CVE-2023-5009) that can be exploited to run pipelines as another user.

1 year ago

thmubnail image

References

https://gitlab.com/gitlab-org/gitlab/-/issues/425304

https://hackerone.com/reports/2147126

technical-descriptionexploitpermissions-required

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

📰
First article discovered by Security Affairs
Sep 20, 2023
Vulnerability published
Sep 19, 2023
Vulnerability Reserved
Sep 15, 2023

Collectors

NVD DatabaseMitre Database1 News Article(s)

Credit

Thanks [joaxcar](https://hackerone.com/joaxcar) for reporting this vulnerability through our HackerOne bug bounty program

.