CVE-2023-2478: 
GitLab vulnerability analysis and mitigation

CVE-2023-2478 is a critical security vulnerability discovered in GitLab CE/EE affecting all versions from 15.4 before 15.9.7, 15.10 before 15.10.6, and 15.11 before 15.11.2. The vulnerability, titled 'Malicious Runner Attachment via GraphQL', was discovered by researcher yvvdwf through GitLab's HackerOne bug bounty program and was disclosed on May 5, 2023 (GitLab Release, Security Online).

The vulnerability exists in a GraphQL endpoint that allows unauthorized association of runners to projects. Under certain conditions, any GitLab user account on the instance can exploit this endpoint to attach a malicious runner to any project within the instance, bypassing proper permission checks. The vulnerability has been assigned a CVSS v3.1 score of 9.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N), indicating its critical severity (GitLab Release).

The vulnerability allows attackers to potentially steal runner jobs, which could lead to unauthorized access to private information including project code and CI/CD job tokens. The impact is particularly severe as it affects any project within the GitLab instance, regardless of access permissions (Security Online).

GitLab has released patched versions 15.11.2, 15.10.6, and 15.9.7 for both Community Edition (CE) and Enterprise Edition (EE) to address this vulnerability. Users are strongly recommended to upgrade their GitLab installations to one of these versions immediately. GitLab.com has already been updated with the patched version (GitLab Release).