Blog Security GitLab’s response to a high severity vulnerability impacting curl and libcurl
Published on: October 12, 2023
2 min read

GitLab’s response to a high severity vulnerability impacting curl and libcurl

Learn about CVE-2023-38545, which leverages a heap buffer overflow through the SOCKS5 protocol, and what it means for GitLab customers.

securityscreen.jpg

On October 4, the developers of curl announced that they would release a fix for a high severity vulnerability impacting curl and libcurl (CVE-2023-38545) with curl 8.4.0 on October 11. This vulnerability leverages a heap buffer overflow through the SOCKS5 protocol. Detailed information regarding the requirements for an environment to be vulnerable are outlined in curl’s security advisory.

Are you affected?

Based on our investigation, we did not identify any SOCKS5 usage in the GitLab.com or GitLab Dedicated environments. GitLab.com and GitLab Dedicated customers are not susceptible to this vulnerability because it does not allow for the configuration of a SOCKS5 proxy.

Self-managed customers who may be operating a SOCKS5 proxy in coordination with their GitLab application should refer to curl’s security advisory to assess their exposure to this vulnerability. This vulnerability affects libcurl versions 7.69.0 to 8.3.0. The developers of curl are encouraging all affected users to upgrade to curl version 8.4.0.

Assessing the impact to GitLab's platform, users, and customers

Upon learning of the vulnerability's existence, GitLab’s security and development teams took proactive measures to identify where curl and libcurl were leveraged across the GitLab environment. This scoping exercise allowed us to develop initial assumptions regarding the potential impact to GitLab’s platforms, users, and customers.

After the vulnerability disclosure by the developers of curl, our teams leveraged their extensive proactive scoping and investigated SOCKS5 usage across our environment through the use of options and environment variables.

GitLab prioritizes and values security. Our response to this vulnerability was conducted with the security of our platform and the security of our customers’ data as the priority. The GitLab Security team will continue monitoring the situation and will update this blog post with any important details or required actions as needed.

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

Find out which plan works best for your team

Learn about pricing

Learn about what GitLab can do for your team

Talk to an expert