A critical vulnerability in both GitLab Community and Enterprise Edition could enable an attacker to steal runner registration tokens.
The vulnerability, which affects all versions from 12.10 to 14.6.4, all versions starting from 14.7 to 14.7.3, and all versions starting from 14.8 to 14.8.1, was announced in a security advisory from GitLab.
If exploited, an unauthorized user is able to steal runner registration tokens through an information disclosure vulnerability using quick actions commands.
It has been assigned a CVSS score of 9.6 and has been patched in the latest releases: 14.8.2, 14.7.4, and 14.6.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).
The DevOps company has also released hotfix instructions for self-managed instances running select versions older than 14.6.
High impact, low complexity
The security flaw is being tracked as CVE-2022-0735, though full technical details have not yet been provided.
A blog post from GitLab, however, includes information about the CVSS scoring which gives some further insight into the severity of the bug.
According to the CVSS scoring matrix, the vulnerability is of low complexity and requires no privileges or user interaction to be exploited.
The flaw was reported through GitLabs’s bug bounty program, which sparked an internal investigation.
“We strongly recommend that all GitLab installations be upgraded to one of these versions immediately,” the blog post reads.
Hit reset
GitLab warned project owners that the security update will reset runner registration tokens for user groups and projects.
The blog post reads: “If you use an automated process (scripts that encode the value of the registration token) to register runners, this update will break that process.
“However, it should have no effect on previously registered runners. If applicable to your processes, your administrator may choose to save a backup of your existing tokens which can later help identify potentially malicious registration tokens, or rogue runners.
“For example, if an unauthorized actor tries to register a runner using one of the revoked tokens, knowing that value will help admins monitor that type of activity.”
Source: https://portswigger.net/daily-swig/critical-gitlab-vulnerability-could-allow-attackers-to-steal-runner-registration-tokens