ADVISORY!
TLP : CLEAR
Date : 12/03/2024
REF NO : CERT / 2024/03/19
GitLab Multiple Vulnerabilities
Severity Level: Medium
Components Affected
- GitLab Community Edition (CE) versions prior to 16.9.2, 16.8.4 and 16.7.7
- GitLab Enterprise Edition (EE) versions prior to 16.9.2, 16.8.4 and 16.7.7
Overview
Multiple vulnerabilities were identified in GitLab. A remote attacker could exploit some of these vulnerabilities to trigger elevation of privilege and security restriction bypass on the targeted system.
Description
An authorization bypass vulnerability was discovered in GitLab affecting versions 11.3 prior to 16.7.7, 16.7.6 prior to 16.8.4, and 16.8.3 prior to 16.9.2. An attacker could bypass CODEOWNERS by utilizing a crafted payload in an old feature branch to perform malicious actions.
A privilege escalation vulnerability was discovered in GitLab affecting versions 16.8 prior to 16.8.4 and 16.9 prior to 16.9.2. It was possible for a user with custom role of `manage_group_access_tokens` to rotate group access tokens with owner privileges.
Impact
- Elevation of Privilege
- Security Restriction Bypass
Solution/ Workarounds
Before installation of the software, please visit the vendor web-site for more details.
Apply fixes issued by the vendor:
Reference
Disclaimer : The information provided herein is on an “as is” basis, without warranty of any kind.
Sri Lanka Computer Emergency Readiness Team | Coordination Centre
- Hotline : 101
- +94 11 269 1692
- Room 4-112, BMICH, Bauddhaloka Mawatha, Colombo 07, Sri Lanka.
- General inquiry: cert@cert.gov.lk
- Security incidents: incidents@cert.gov.lk
- Social media incidents: report@cert.gov.lk
