GitLab’s critical security update: fixing vulnerabilities

On January 11, 2024, GitLab, a leading provider of a software development management platform, released an important security update to address identified vulnerabilities.

The vulnerabilities were discovered by the GitLab community, who helped the company fix bugs with authentication mechanisms, authorization checks in Slack/Mattermost, creating workspaces outside of the native environment, changing metadata in commits, and bypassing CODEOWNERS approval.

In versions 16.1 to 16.7.2, problems were noticed with all authentication mechanisms: even users with two-factor authentication were vulnerable at a certain level. The company recommended updating the mentioned version range and enabling two-factor authentication for all accounts.

From version 8.13 to 16.7.2, users could execute commands on behalf of other users in Slack and Mattermost due to poorly functioning authentication. Similarly, until version 16.7.2, it was possible to create workspaces in a group, which they did not belong to. This created a separate security issue when using GitLab.

Starting from version 12.2, the metadata of signed commits was changed due to incorrect checkout signature verification. There was also a way to bypass CODEOWNERS approval starting with version 15.3 and including version 16.7.2.

For the most part, all of the above vulnerabilities can be resolved by upgrading to a newer version of GitLab. However, GitLab also recommends enabling two-factor authentication (2FA) for all GitLab accounts, reinstalling all secrets with potential for corruption, and examining repositories for unauthorized changes.