GitLab Community and Enterprise Edition both contain a serious vulnerability that might allow an attacker to take control of runner registration tokens.
The vulnerability was disclosed in a security alert from GitLab, and it affects all versions starting from 12.10 to 14.6.4, all versions starting from 14.7 to 14.7.3, and all versions starting from 14.8 to 14.8.1.
If exploited, a quick actions command-based information disclosure vulnerability allows an unauthorized user to take control of runner registration tokens.
The most recent releases (14.8.2, 14.7.4, and 14.6.5 for GitLab Community Edition (CE) and Enterprise Edition) have patches for it and have given them a CVSS score of 9.6.
Additionally, the DevOps business has made hotfix instructions available for self-managed systems running particular versions prior to 14.6.
Low complexity, high impact
Although complete technical information has not yet been provided, the security flaw is being tracked as CVE-2022-0735.
However, a blog post from GitLab includes details about the CVSS scoring, which provides some additional context for the bug’s severity.
The vulnerability is low complexity, requires no rights or user input to be exploited, and is rated as such by the CVSS scoring matrix.
GitLab’s bug bounty program was used to disclose the problem, which prompted an internal inquiry.
The blog post states, “We strongly suggest that all GitLab installations be upgraded to one of these versions immediately.”
Reset the device
GitLab informed project owners that the security update would cause user groups’ and projects’ runner registration tokens to be reset.
The update will disrupt any automated processes you use to register runners (such as scripts that encode the value of the registration token), according to the blog post.
“However, it shouldn’t affect runners who have already registered. If it applies to your processes, your administrator might decide to create a backup of your current tokens, which can later be used to spot rogue runners or potentially dangerous registration tokens.
“Knowing that value will help admins monitor that type of behavior, for instance, if an unauthorized actor tries to register a runner using one of the revoked tokens,” the statement continued.