Security Advisory 2023-067

Release Date:

Critical Flaw in GitLab



  • 20/09/2023 --- v1.0 -- Initial publication


On September 18, GitLab has released security updates to address a critical flaw identified by CVE-2023-4998 that, if exploited, would allow an attacker to run code, modify data or trigger specific events within the GitLab system [1]. This could result in loss of intellectual property, damaging data leaks, supply chain attacks, and other high-risk scenarios [2].

It is strongly recommended updating as soon as possible to a fixed version.

Technical Details

The vulnerability CVE-2023-4998 has a CVSS score of 9.6 out of 10, and is a bypass of the fix for the medium severity flaw identified as CVE-2023-3932 [3]. By using scheduled security scan policies, it is possible for an authenticated attacker to run pipelines as an arbitrary user. Pipeline tasks are series of automated tasks that could give access to sensitive information, allow users to run code, modify data or trigger specific events.

Affected Products

The flaw impacts GitLab Community Edition (CE) and Enterprise Edition (EE) versions 13.12 through 16.2.7 and versions 16.3 through 16.3.4.

Instances running versions earlier than 16.2 are vulnerable if both Direct transfers [4] and Security policies [5] features are enabled at the same time.


CERT-EU strongly recommends that all installations running a version affected by the issues described above are upgraded to the latest version as soon as possible.


For instances running versions earlier than 16.2, in order to mitigate this vulnerability in situations where it is not possible to upgrade, it is required to disable the Direct transfers feature and/or the Security policies feature.







We got cookies

We only use cookies that are necessary for the technical functioning of our website. Find out more on here.