GitLab has shipped security patches to resolve a critical flaw that allows an attacker to run pipelines as another user.
The issue, tracked as CVE-2023-5009 (CVSS score: 9.6), impacts all versions of GitLab Enterprise Edition (EE) starting from 13.12 and prior to 16.2.7 as well as from 16.3 and before 16.3.4.
"It was possible for an attacker to run pipelines as an arbitrary user via scheduled

Vulnerability / Software Security

GitLab has shipped security patches to resolve a critical flaw that allows an attacker to run pipelines as another user.

The issue, tracked as **CVE-2023-5009** (CVSS score: 9.6), impacts all versions of GitLab Enterprise Edition (EE) starting from 13.12 and prior to 16.2.7 as well as from 16.3 and before 16.3.4.

"It was possible for an attacker to run pipelines as an arbitrary user via scheduled security scan policies," GitLab said in an advisory. "This was a bypass of CVE-2023-3932 showing additional impact."

Successful exploitation of CVE-2023-5009 could allow a threat actor to access sensitive information or leverage the elevated permissions of the impersonated user to modify source code or run arbitrary code on the system, leading to severe consequences.

Security researcher Johan Carlsson (aka joaxcar) has been credited with discovering and reporting the flaw. CVE-2023-3932 was addressed by GitLab in early August 2023.

The vulnerability has been addressed in GitLab versions 16.3.4 and 16.2.7.

UPCOMING WEBINAR

Level-Up SaaS Security: A Comprehensive Guide to ITDR and SSPM

Stay ahead with actionable insights on how ITDR identifies and mitigates threats. Learn about the indispensable role of SSPM in ensuring your identity remains unbreachable.

Supercharge Your Skills

The disclosure comes as a two-year-old critical GitLab bug (CVE-2021-22205, CVSS score: 10.0) continues to be actively exploited by threat actors in real-world attacks.

Earlier this week, Trend Micro revealed that a China-linked adversary known as Earth Lusca is aggressively targeting public-facing servers by weaponizing N-day security flaws, including CVE-2021-22205, to infiltrate victim networks.

It's highly recommended that users update their GitLab installations to the latest version as soon as possible to safeguard against potential risks.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

GitLab Releases Urgent Security Patches for Critical Vulnerability

An issue was discovered in Croc through 9.6.5. A sender can cause a receiver to overwrite files during ZIP extraction.

**Sender can cause a receiver to overwrite files during ZIP extraction in Croc**

Moderate severity GitHub Reviewed Published Sep 20, 2023 to the GitHub Advisory Database • Updated Sep 21, 2023

GHSA-8c8w-f7wp-2jr2: Sender can cause a receiver to overwrite files during ZIP extraction in Croc

An issue was discovered in Croc through 9.6.5. A sender may place ANSI or CSI escape sequences in a filename to attack the terminal device of a receiver.

**Croc sender may place ANSI or CSI escape sequences in filename to attach receiver's terminal device**

Moderate severity GitHub Reviewed Published Sep 20, 2023 to the GitHub Advisory Database • Updated Sep 21, 2023

GHSA-364c-vvqx-446c: Croc sender may place ANSI or CSI escape sequences in filename to attach receiver's terminal device

An issue was discovered in Croc through 9.6.5. When a custom shared secret is used, the sender and receiver may divulge parts of this secret to an untrusted Relay, as part of composing a room name.

**Cros secrets may be disclosed to untrusted relay**

Moderate severity GitHub Reviewed Published Sep 20, 2023 to the GitHub Advisory Database • Updated Sep 21, 2023

GHSA-hp56-xvf4-g6wr: Cros secrets may be disclosed to untrusted relay

An issue was discovered in Croc through 9.6.5. A sender may send dangerous new files to a receiver, such as executable content or a `.ssh/authorized_keys` file.

**Croc sender may send dangerous new files to receiver**

Moderate severity GitHub Reviewed Published Sep 20, 2023 to the GitHub Advisory Database • Updated Sep 21, 2023

GHSA-ppjh-xp5v-46wc: Croc sender may send dangerous new files to receiver

An issue was discovered in Croc through 9.6.5. The protocol requires a sender to provide its local IP addresses in cleartext via an `ips?` message.

**Croc requires senders to provide local IP addresses in cleartext**

Moderate severity GitHub Reviewed Published Sep 20, 2023 to the GitHub Advisory Database • Updated Sep 21, 2023

GHSA-7mp6-929p-pqhj: Croc requires senders to provide local IP addresses in cleartext

An issue was discovered in Croc through 9.6.5. The shared secret, located on a command line, can be read by local users who list all processes and their arguments.

**Croc may expose secret to local users**

Moderate severity GitHub Reviewed Published Sep 20, 2023 to the GitHub Advisory Database • Updated Sep 21, 2023

GHSA-7g3v-4ggr-xvjf: Croc may expose secret to local users

Versions of the package graphql from 16.3.0 and before 16.8.1 are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This vulnerability allows an attacker to degrade system performance.

**Note:** It was not proven that this vulnerability can crash the process.

**graphql Uncontrolled Resource Consumption vulnerability**

Moderate severity GitHub Reviewed Published Sep 20, 2023 to the GitHub Advisory Database • Updated Sep 21, 2023

GHSA-9pv7-vfvm-6vr7: graphql Uncontrolled Resource Consumption vulnerability

CVE-2023-43621: security - croc: multiple issues in file sharing utility

Versions of the package graphql from 16.3.0 and before 16.8.1 are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This vulnerability allows an attacker to degrade system performance.**Note:** It was not proven that this vulnerability can crash the process.

Expand Up @@ -7,8 +7,8 @@ import type { DirectiveNode, FieldNode, FragmentDefinitionNode, ObjectValueNode, SelectionSetNode, ValueNode, } from '../../language/ast.js'; import { Kind } from '../../language/kinds.js'; import { print } from '../../language/printer.js'; Expand Down Expand Up @@ -592,7 +592,7 @@ function findConflict( }  
// Two field calls must have the same arguments. if (stringifyArguments(node1) !== stringifyArguments(node2)) { if (!sameArguments(node1, node2)) { return \[ \[responseName, 'they have differing arguments'\], \[node1\], Expand Down Expand Up @@ -649,19 +649,38 @@ function findConflict( } }  
function stringifyArguments(fieldNode: FieldNode | DirectiveNode): string { // FIXME https://github.com/graphql/graphql-js/issues/2203 const args \= /\* c8 ignore next \*/ fieldNode.arguments ?? \[\];  
const inputObjectWithArgs: ObjectValueNode \= { kind: Kind.OBJECT, fields: args.map((argNode) \=> ({ kind: Kind.OBJECT\_FIELD, name: argNode.name, value: argNode.value, })), }; return print(sortValueNode(inputObjectWithArgs)); function sameArguments( node1: FieldNode | DirectiveNode, node2: FieldNode | DirectiveNode, ): boolean { const args1 \= node1.arguments; const args2 \= node2.arguments;  
if (args1 \=== undefined || args1.length \=== 0) { return args2 \=== undefined || args2.length \=== 0; } if (args2 \=== undefined || args2.length \=== 0) { return false; }  
if (args1.length !== args2.length) { return false; }  
const values2 \= new Map(args2.map(({ name, value }) \=> \[name.value, value\])); return args1.every((arg1) \=> { const value1 \= arg1.value; const value2 \= values2.get(arg1.name.value); if (value2 \=== undefined) { return false; }  
return stringifyValue(value1) \=== stringifyValue(value2); }); }  
function stringifyValue(value: ValueNode): string | null { return print(sortValueNode(value)); }  
function getStreamDirective( Expand All @@ -681,7 +700,7 @@ function sameStreams( return true; } else if (stream1 && stream2) { // check if both fields have equivalent streams return stringifyArguments(stream1) \=== stringifyArguments(stream2); return sameArguments(stream1, stream2); } // fields have a mix of stream and no stream return false; Expand Down

Tag

#git