CVE-2023-3932

Name of the Vulnerable Software and Affected Versions GitLab EE versions 13.12 through 16.0.7 GitLab EE versions 16.1 through 16.1.2 GitLab EE versions 16.2 through 16.2.1

Description An issue has been discovered in GitLab EE, affecting the authorization procedure. This issue allows an attacker to run pipeline jobs as an arbitrary user via scheduled security scan policies. The exploitation of this issue may enable a remote attacker to launch tasks in the name of any user.

Recommendations For versions 13.12 through 16.0.7, update to version 16.0.8 or later. For versions 16.1 through 16.1.2, update to version 16.1.3 or later. For versions 16.2 through 16.2.1, update to version 16.2.2 or later. As a temporary workaround, consider restricting access to scheduled security scan policies until a patch is available.