CVE-2023-5009
📋 TL;DR
This vulnerability allows attackers to bypass security controls in GitLab EE and execute pipeline jobs as arbitrary users via scheduled security scan policies. It affects all GitLab EE instances from version 13.12 before 16.2.7 and from 16.3 before 16.3.4. This is a bypass of CVE-2023-3932 with additional impact.
💻 Affected Systems
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of GitLab instance with unauthorized code execution, data exfiltration, and privilege escalation to administrative accounts.
Likely Case
Unauthorized pipeline execution leading to data exposure, repository manipulation, and potential lateral movement within the GitLab environment.
If Mitigated
Limited impact with proper access controls, but still potential for unauthorized job execution in restricted contexts.
🎯 Exploit Status
Requires some level of access to create or modify security scan policies. Exploitation details are documented in the HackerOne report.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.2.7, 16.3.4, or later
Vendor Advisory: https://about.gitlab.com/releases/2023/10/30/critical-security-release-gitlab-16-3-4-released/
Restart Required: Yes
Instructions:
1. Backup your GitLab instance. 2. Update to GitLab EE 16.2.7, 16.3.4, or later. 3. Restart GitLab services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable Security Scan Policies
allTemporarily disable scheduled security scan policies to prevent exploitation.
Navigate to Security & Compliance > Policies in GitLab UI and disable all scheduled security scan policies
🧯 If You Can't Patch
- Restrict access to security policy configuration to trusted administrators only
- Implement network segmentation to isolate GitLab instances from critical systems
🔍 How to Verify
Check if Vulnerable:
Check GitLab version via Admin Area > Overview or run: sudo gitlab-rake gitlab:env:infoCheck Version:
sudo gitlab-rake gitlab:env:info | grep 'GitLab version'Verify Fix Applied:
Confirm version is 16.2.7, 16.3.4 or later and test security scan policy functionality📡 Detection & Monitoring
Log Indicators:
- Unauthorized pipeline job executions
- Unexpected security scan policy modifications
- Failed authentication attempts followed by pipeline activity
Network Indicators:
- Unusual API calls to security policy endpoints
- Suspicious pipeline job triggers
SIEM Query:
source="gitlab" AND (event="pipeline_created" OR event="security_policy_updated") AND user NOT IN [authorized_users]