Although the critical security vulnerability in PostgreSQL has been known since February 12, 2024, GitLab has still not deployed a security update based on PostgreSQL patches. The vulnerability allows attackers to execute code with privileged permissions. The extent to which GitLab users are at risk is not yet clear.
Advertisement
Already on February 8th PostgreSQL had warned of a security vulnerability, which allows attackers to inflict arbitrary SQL code on users with higher privileges and execute it via a refresh command. The manufacturer classifies the risk as high (level 8 out of 10). At the same time as the warning, PostgreSQL released patches for its various versions: 12.18, 13.14, 14.11 and 15.6.
Readers had pointed out to the iX editorial team that GitLab has not yet installed an update for the PostgreSQL version 13.13 used by the company, although it has been available since February 8th There were three GitLab security updates: on February 15th, February 21st and March 6th. On February 7th, one day before the vulnerability became known, GitLab had only switched to version 13.13, although version 13.14 since September 2020 is available.
The iX editorial team received no response to multiple inquiries to GitLab, so it is not entirely clear to what extent users are directly affected by the gap and what risk there is for them. However, in the sense of Zero Trust, a general risk to the system can be assumed.
(who)