CVE-2023-2478

Vulnerability

GitLab CE/EE versions 15.4 before 15.9.7, 15.10 before 15.10.6, and 15.11 before 15.11.2 contain a missing permission check in the GraphQL runnerUpdate mutation. This endpoint allows associating a runner with a project without verifying that the current user has permission on the target project, enabling an attacker to attach a runner to any project [1].

Exploitation

An attacker must have a valid GitLab account and register a runner on a project they own. The runner must be unlocked from its original project (by unchecking "Lock to current projects"). Using the GraphQL API, the attacker sends a runnerUpdate mutation with the runner's ID and the victim project's ID, associating the runner with the victim's project without authorization [1]. No further authentication or user interaction from the victim is required.

Impact

A successful attack allows the malicious runner to receive CI/CD jobs from the victim's project. This can lead to job execution on the attacker-controlled runner, potentially exposing secrets, source code, or other sensitive data present in the CI/CD environment. The runner can also be used to modify or exfiltrate artifacts, resulting in a compromise of confidentiality and integrity [1].

Mitigation

GitLab has fixed this vulnerability in versions 15.9.7, 15.10.6, and 15.11.2. Users should upgrade to these versions or later. There is no known workaround for affected versions [1].