CVE-2021-39947

Name of the Vulnerable Software and Affected Versions GitLab Runner versions up to 14.3.4 GitLab Runner versions 14.4 to 14.4.2 GitLab Runner versions 14.5 to 14.5.2

Description The issue is related to information disclosure in GitLab Runner. In specific circumstances, trace file buffers would re-use the file descriptor 0 for multiple traces and mix the output of several jobs, potentially allowing a remote attacker to disclose protected information.

Recommendations For GitLab Runner versions up to 14.3.4, update to a version later than 14.3.4 to resolve the issue. For GitLab Runner versions 14.4 to 14.4.2, update to a version later than 14.4.2 to resolve the issue. For GitLab Runner versions 14.5 to 14.5.2, update to a version later than 14.5.2 to resolve the issue. As a temporary workaround, consider restricting access to trace file buffers to minimize the risk of exploitation.