- 20/09/2023 --- v1.0 -- Initial publication
On September 18, GitLab has released security updates to address a critical flaw identified by
CVE-2023-4998 that, if exploited, would allow an attacker to run code, modify data or trigger specific events within the GitLab system . This could result in loss of intellectual property, damaging data leaks, supply chain attacks, and other high-risk scenarios .
It is strongly recommended updating as soon as possible to a fixed version.
CVE-2023-4998 has a CVSS score of 9.6 out of 10, and is a bypass of the fix for the medium severity flaw identified as
CVE-2023-3932 . By using scheduled security scan policies, it is possible for an authenticated attacker to run pipelines as an arbitrary user. Pipeline tasks are series of automated tasks that could give access to sensitive information, allow users to run code, modify data or trigger specific events.
The flaw impacts GitLab Community Edition (CE) and Enterprise Edition (EE) versions 13.12 through 16.2.7 and versions 16.3 through 16.3.4.
Instances running versions earlier than 16.2 are vulnerable if both Direct transfers  and Security policies  features are enabled at the same time.
CERT-EU strongly recommends that all installations running a version affected by the issues described above are upgraded to the latest version as soon as possible.
For instances running versions earlier than 16.2, in order to mitigate this vulnerability in situations where it is not possible to upgrade, it is required to disable the Direct transfers feature and/or the Security policies feature.