CVE-2023-5009

Name of the Vulnerable Software and Affected Versions GitLab EE versions 13.12 through 16.2.7 GitLab EE versions 16.3 through 16.3.4 GitLab Community Edition (CE) versions 13.12 through 16.2.7 GitLab Community Edition (CE) versions 16.3 through 16.3.4

Description The issue is related to a flaw in GitLab that allows an attacker to run pipelines as another user. This is possible due to the misuse of scheduled security scan policies. The vulnerability affects various versions of GitLab EE and Community Edition (CE). There is no information provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited.

Recommendations For GitLab EE versions 13.12 through 16.2.7, update to version 16.2.7 or later. For GitLab EE versions 16.3 through 16.3.4, update to version 16.3.4 or later. For GitLab Community Edition (CE) versions 13.12 through 16.2.7, update to version 16.2.7 or later. For GitLab Community Edition (CE) versions 16.3 through 16.3.4, update to version 16.3.4 or later. As a temporary workaround, consider restricting access to the vulnerable pipeline feature until a patch is available.