GitLab, has recently issued a critical security advisory concerning a significant vulnerability tracked as CVE-2023-2478 and with a CVSS score of 9.6. This vulnerability poses a serious risk to the integrity and security of GitLab projects.
The security flaw, Malicious Runner Attachment via GraphQL affects all GitLab Community Edition (CE) and Enterprise Edition (EE) versions starting from 15.4 before 15.9.7, all versions starting from 15.10 before 15.10.6, and all versions starting from 15.11 before 15.11.2.
Under certain conditions, any GitLab user account on the instance may exploit a GraphQL endpoint to attach a malicious runner to any project within the instance. This vulnerability leaves projects exposed to unauthorized access and manipulation, posing a substantial risk to the security and confidentiality of project data.
GitLab has promptly released versions 15.11.2, 15.10.6, and 15.9.7 for both GitLab CE and EE to address the critical security issue. Users are strongly encouraged to upgrade their GitLab installations to one of these updated versions immediately to mitigate the risk posed by the vulnerability. The security patches ensure that the malicious runner attachment via GraphQL is no longer possible, safeguarding projects from unauthorized access.
Considering the CVE-2023-2478 vulnerability, it’s crucial for GitLab users to update their installations to the latest patched versions (15.11.2, 15.10.6, or 15.9.7) to protect their projects from potential malicious runner attachments.