Critical GitLab Security Vulnerability: CVE-2023-2478 Exposes Projects to Malicious Runners

GitLab, the popular web-based DevOps lifecycle tool, has recently issued a critical security advisory concerning a significant vulnerability identified as CVE-2023-2478. With a high CVSS score of 9.6, this vulnerability poses a serious risk to the integrity and security of GitLab projects. It’s essential for users to be aware of the issue and update their GitLab installations promptly to protect their data and projects.

The security flaw, dubbed “Malicious Runner Attachment via GraphQL,” affects all GitLab Community Edition (CE) and Enterprise Edition (EE) versions starting from 15.4 before 15.9.7, all versions starting from 15.10 before 15.10.6, and all versions starting from 15.11 before 15.11.2. Under certain conditions, any GitLab user account on the instance may exploit a GraphQL endpoint to attach a malicious runner to any project within the instance. This vulnerability leaves projects exposed to unauthorized access and manipulation, posing a substantial risk to the security and confidentiality of project data.

GitLab has promptly released versions 15.11.2, 15.10.6, and 15.9.7 for both GitLab CE and EE to address the critical security issue. Users are strongly encouraged to upgrade their GitLab installations to one of these updated versions immediately to mitigate the risk posed by the vulnerability. The security patches ensure that the malicious runner attachment via GraphQL is no longer possible, safeguarding projects from unauthorized access.

The vulnerability was reported by yvvdwf through GitLab’s HackerOne bug bounty program. GitLab’s swift response and patch release demonstrate the company’s commitment to securing its platform and addressing security issues in a timely manner.

In light of the CVE-2023-2478 vulnerability, it’s crucial for GitLab users to update their installations to the latest patched versions (15.11.2, 15.10.6, or 15.9.7) to protect their projects from potential malicious runner attachments.