GitLab fixes critical flaw that lets users log in as admins

GitLab patched multiple privilege escalation flaws, cross-site scripting bugs, and information disclosure vulnerabilities in both the open source and commercial versions of its self-hosted system for managing Git repositories. The most critical is a serious authentication flaw that enabled users to log in as other users.

The critical vulnerability was in GitLab’s “impersonate” feature (CVE-2016-4340), which was introduced in GitLab 8.2 to let an administrator simulate being logged in as another user. However, the feature was not properly secured, so any authenticated user could log in as another user, even as administrators, GitLab said in its security advisory. The issue was discovered as part of an internal code review.

To read this article in full or to leave a comment, please click here

Read more: GitLab fixes critical flaw that lets users log in as admins

Story added 6. May 2016, content source with full text you can find at link above.