CVE-2023-2478

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 15.4 through 15.9.6 GitLab CE/EE versions 15.10 through 15.10.5 GitLab CE/EE versions 15.11 through 15.11.1

Description An issue has been discovered in GitLab CE/EE, where under certain conditions, a malicious unauthorized GitLab user may use a GraphQL endpoint to attach a malicious runner to any project. The vulnerability is related to incorrect permission assignment for a critical resource when handling the GraphQL endpoint. Exploitation of the vulnerability may allow a remote attacker to gain unauthorized access to protected information.

Recommendations For GitLab CE/EE versions 15.4 through 15.9.6, update to version 15.9.7 to resolve the issue. For GitLab CE/EE versions 15.10 through 15.10.5, update to version 15.10.6 to resolve the issue. For GitLab CE/EE versions 15.11 through 15.11.1, update to version 15.11.2 to resolve the issue. As a temporary workaround, consider restricting access to the GraphQL endpoint to minimize the risk of exploitation.