GitLab, one of the most famous code repositories in the world, faces critical security issues in the latest update. Aside from advanced functionality, the 16.0 patch brought an extremely severe vulnerability. Experts already gave it CVSS 10.0 mark – the highest possible.
What is GitLab?
GitLab is an open-source repository and collaborative software development platform. The DevOps software package allows users to develop, protect and use software used by development teams who need to manage their code remotely. It has around 30 million registered users, including one million paying customers. As you may imagine, even a slight issue or vulnerability in the product will have a terrifying scale – and that is what happened.
GitLab Vulnerability Scores Highest CVSS Rating
The company recently discovered a critical path traversal vulnerability CVE-2023-2825 with maximum severity status CVSS score of 10.0. This vulnerability allows unauthenticated attackers to read arbitrary files on the server under certain conditions. Attackers can read sensitive data from vulnerable endpoints. This data may include proprietary software code, user credentials, tokens, files, and other personal information.
The vulnerability was discovered by cybersecurity researcher “pwnie” and affected versions 16.0.0 of GitLab Community Edition (CE) and Enterprise Edition (EE). He said you must have an attachment in a public project nested in at least five groups to exploit the vulnerability. However, the excellent point is that this structure is only found in some GitHub projects. Moreover, version 16.0 is the most recent update for GitLab CE/EE, thus it simply circulates too little time to become a major issue.
Mitigation
GitLab immediately released a security update to address this vulnerability after its discovery, highlighting its quick response to such security threats. To protect their systems, GitLab CE or EE version 16.0.0 users are strongly encouraged to install the most recent update or perform a roll back.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible. When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected. – GitLab.
To update your GitLab installation, please follow these instructions.
Aside from the official guidelines, you may apply a number of other measures. They are reactive, but will most likely do their job in the case of other issues that will not receive a fix that fast.
For example, I recommend using software that supports the Zero Trust model. In two words, Zero Trust is a security strategy designed to implement security principles. It is not a product or service but rather an approach. These principles include detailed verification, the use of least privilege access, and the assumption of a breach. However, this may prevent unauthorized access.
In addition, you can follow cyber news and keep up with the latest developments. Thus, you can gain valuable insights into the latest products, emerging threats, and cybersecurity trends. Cyber news sources provide information about new vulnerabilities, data breaches, malware attacks, and hacking incidents. So, it lets you stay proactive and better equipped to protect yourself and your digital assets. By keeping up with these reports, you can learn from real-world examples and understand the tactics and techniques employed by cybercriminals. Forewarned is forearmed.