Paris, September 1, 2023 – The Computer Emergency Response Team for France (CERT-FR) has issued an advisory regarding several vulnerabilities found in GitLab, a widely used source code repository management system. These vulnerabilities pose risks to data confidentiality, data integrity, security policies, service availability, and privilege escalation.
Affected Systems
Impacted versions include:
- GitLab Community Edition (CE) versions 16.3.x prior to 16.3.1
- GitLab Community Edition (CE) versions 16.2.x prior to 16.2.5
- GitLab Community Edition (CE) versions 16.1.x prior to 16.1.5
- GitLab Enterprise Edition (EE) versions 16.3.x prior to 16.3.1
- GitLab Enterprise Edition (EE) versions 16.2.x prior to 16.2.5
- GitLab Enterprise Edition (EE) versions 16.1.x prior to 16.1.5
Summary of Vulnerabilities
Several critical vulnerabilities have been identified in GitLab, some of which could allow attackers to compromise system security. Risks include:
- Data Confidentiality Breach: Some security issues may grant malicious actors access to sensitive and confidential information.
- Data Integrity Compromise: Vulnerabilities could potentially lead to unauthorized modification of data stored in GitLab, compromising its integrity.
- Security Policy Bypass: The identified flaws could enable bypassing security mechanisms and accessing resources an attacker is not entitled to.
- Denial of Service: Some vulnerabilities could be exploited to disrupt or render GitLab services unavailable.
- Privilege Escalation: There is a risk of privilege escalation, where an attacker could gain higher access rights than those originally assigned.
Recommended Solution
To address these vulnerabilities, it is strongly advised to refer to the security bulletin provided by the vendor for obtaining patches (see Documentation section).