CVE-2023-2478 Overview
An authorization bypass vulnerability has been discovered in GitLab CE/EE that allows malicious unauthorized users to attach runners to arbitrary projects through a GraphQL endpoint. This vulnerability affects multiple versions of GitLab and represents a significant security concern for organizations relying on GitLab's CI/CD infrastructure, as it could allow attackers to execute malicious code within project pipelines.
Critical Impact
Unauthorized users can attach malicious runners to any project, potentially enabling code execution, data exfiltration, and supply chain attacks through compromised CI/CD pipelines.
Affected Products
- GitLab Community Edition (CE) versions 15.4 before 15.9.7
- GitLab Community Edition (CE) versions 15.10 before 15.10.6
- GitLab Community Edition (CE) versions 15.11 before 15.11.2
- GitLab Enterprise Edition (EE) versions 15.4 before 15.9.7
- GitLab Enterprise Edition (EE) versions 15.10 before 15.10.6
- GitLab Enterprise Edition (EE) versions 15.11 before 15.11.2
Discovery Timeline
- 2023-05-08 - CVE-2023-2478 published to NVD
- 2025-01-29 - Last updated in NVD database
Technical Details for CVE-2023-2478
Vulnerability Analysis
This vulnerability is classified under CWE-732 (Incorrect Permission Assignment for Critical Resource). The flaw exists within GitLab's GraphQL API implementation, specifically in the authorization logic for runner registration and attachment operations. Under certain conditions, the API fails to properly validate whether the requesting user has appropriate permissions to attach a runner to a target project.
The vulnerability enables a low-privileged, authenticated GitLab user to bypass authorization controls and attach a runner they control to projects where they should not have administrative access. This is particularly dangerous because runners execute CI/CD jobs, meaning an attacker could potentially intercept secrets, inject malicious code into build processes, or exfiltrate sensitive data from affected projects.
Root Cause
The root cause stems from improper permission assignment within GitLab's GraphQL endpoint handling runner attachments. The authorization check that should verify whether a user has project maintainer or owner privileges before allowing runner attachment was insufficient or missing under specific conditions. This allowed authenticated users to manipulate GraphQL mutations to attach runners to projects they do not own or maintain.
Attack Vector
The attack is network-based and requires low privileges (any authenticated GitLab user). The attacker exploits the vulnerable GraphQL endpoint to attach a malicious runner to a target project. Once attached, the rogue runner can pick up and execute CI/CD jobs for that project, potentially:
- Accessing environment variables and secrets configured for the project
- Modifying build artifacts and injecting malicious code
- Exfiltrating source code and sensitive data
- Compromising the software supply chain by tampering with releases
The attack does not require user interaction and can be performed remotely over the network. Additional technical details about the exploitation mechanism can be found in the HackerOne Report #1969599 and the GitLab Issue #409470.
Detection Methods for CVE-2023-2478
Indicators of Compromise
- Unexpected runner registrations appearing in project CI/CD settings
- New or unauthorized runners attached to projects without administrator approval
- Anomalous GraphQL API requests targeting runner mutation endpoints
- CI/CD jobs executing on unfamiliar or suspicious runners
Detection Strategies
- Monitor GitLab audit logs for runner registration and attachment events, especially those initiated by non-admin users
- Implement alerting on GraphQL API calls to runner-related mutations from unexpected user accounts
- Review runner configurations across projects to identify any unauthorized runner attachments
- Correlate runner activity with user authorization levels to detect privilege violations
Monitoring Recommendations
- Enable comprehensive audit logging for GitLab CI/CD operations
- Configure SIEM rules to alert on runner attachment events that don't match expected patterns
- Regularly audit the list of registered runners across all projects and groups
- Monitor for unusual CI/CD job execution patterns that may indicate rogue runner activity
How to Mitigate CVE-2023-2478
Immediate Actions Required
- Upgrade GitLab CE/EE to version 15.9.7, 15.10.6, or 15.11.2 or later immediately
- Audit all registered runners across your GitLab instance to identify any unauthorized attachments
- Review CI/CD job history for any suspicious executions on unrecognized runners
- Temporarily restrict runner registration permissions while investigating potential compromise
Patch Information
GitLab has released security patches addressing this vulnerability. Organizations should upgrade to the following patched versions:
- Version 15.9.7 for the 15.9.x branch
- Version 15.10.6 for the 15.10.x branch
- Version 15.11.2 for the 15.11.x branch
Detailed patch information is available in the GitLab CVE-2023-2478 advisory.
Workarounds
- Restrict GraphQL API access to trusted users and IP ranges where possible
- Implement network segmentation to limit access to GitLab's internal APIs
- Enable additional authentication requirements for sensitive API operations
- Review and tighten runner registration tokens and shared runner configurations
# Audit registered runners via GitLab Rails console
gitlab-rails runner "Ci::Runner.all.each { |r| puts \"#{r.id}: #{r.description} - Projects: #{r.projects.pluck(:full_path).join(', ')}\" }"
# Check runner registration events in audit logs
grep -i "runner" /var/log/gitlab/gitlab-rails/audit_json.log | jq '.entity_type, .author_name, .action'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
