GitLab Critical Security Release 15.11.2 (CVE-2023-2478)

[Fleury, Terry]

CI Operators:

GitLab has released v15.11.2 [1] to address a critical security vulnerability. This affects both GitLab Community Edition (CE) and Enterprise Edition (EE). The issue is tracked as CVE-2023-2478 [2] and has a CVSS v3 score of 9.6.

 

Impact:

Any GitLab user on an instance could use a GraphQL endpoint to attach a malicious runner to any project. GitLab Runner is used for CI/CD (Continuous Integration/Continuous Deployment) to run jobs in a pipeline.

 

Affected Software: 

• GitLab < v15.9.7
• GitLab 15.10.x < v15.10.6
• GitLab 15.11.x < v15.11.2

 

Recommendation:

Update to the latest patched version of GitLab for your installation [3]. There are no recommended mitigations.

 

References:

[1] https://about.gitlab.com/releases/2023/05/05/critical-security-release-gitlab-15-11-2-released/

[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2478

[3] https://about.gitlab.com/update 

 

How Trusted CI can help:

The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI cannot provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (https://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.

 

You are receiving this message because you are subscribed to cv-an...@trustedci.org. The archive of previous alerts is publicly accessible. If you prefer not to receive future alerts, you can unsubscribe.