Critical GitLab Vulnerability Could Allow Attackers To Steal Runner Registration Tokens

It has been reported that critical vulnerability in both GitLab Community and Enterprise Edition could enable an attacker to steal runner registration tokens. The vulnerability, which affects all versions from 12.10 to 14.6.4, all versions starting from 14.7 to 14.7.3, and all versions starting from 14.8 to 14.8.1, was announced in a security advisory from GitLab. If exploited, an unauthorized user is able to steal runner registration tokens through an information disclosure vulnerability using quick actions commands. It has been assigned a CVSS score of 9.6 and has been patched in the latest releases: 14.8.2, 14.7.4, and 14.6.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).

Experts Comments

March 03, 2022
Debrup Ghosh
Senior Product Manager
Synopsys Software Integrity Group

Commercial software often either includes or runs on open source technologies that presents an array of vectors for supply chain attacks. Companies need to invest in building trust into their software and have controls throughout the entire SDLC to monitor not only their source code or binaries, but also proprietary tools (such as GitLab), platforms, and infrastructure to understand how software was built, configured, and deployed. Every company is today not only a software company, but also a

.....Read More

Commercial software often either includes or runs on open source technologies that presents an array of vectors for supply chain attacks. Companies need to invest in building trust into their software and have controls throughout the entire SDLC to monitor not only their source code or binaries, but also proprietary tools (such as GitLab), platforms, and infrastructure to understand how software was built, configured, and deployed. Every company is today not only a software company, but also a security company, hence organizations need to realise supply chain risk is a real business risk that needs a holistic a Software Supply Chain Risk Management (SSCRM) Program to continually monitor, evaluate, and mitigate evolving cybersecurity risks.

  Read Less
March 03, 2022
Jonathan Knudsen
Senior Security Strategist
Synopsys

The recent disclosure about CVE-2022-0735 by Gitlab is an excellent illustration of the multilayered complexity of the software supply chain. This disclosure highlights the broad reach of the software supply chain, which encompasses not only all the open source and third party components that make up applications, but also the tools and infrastructure that are used in building and deploying the application. If you make an airplane, the raw materials, engines, seats, and rivets are all part of

.....Read More

The recent disclosure about CVE-2022-0735 by Gitlab is an excellent illustration of the multilayered complexity of the software supply chain. This disclosure highlights the broad reach of the software supply chain, which encompasses not only all the open source and third party components that make up applications, but also the tools and infrastructure that are used in building and deploying the application. If you make an airplane, the raw materials, engines, seats, and rivets are all part of the supply chain, but likewise so are the wrenches, rivet guns, and other tools and mechanisms used in building the airplane.

The Gitlab vulnerability has to do with leakage of authentication tokens that could allow an attacker to observe or hijack a victim’s build automation. Left unpatched, it could have allowed an attacker access to sensitive information or the ability to disrupt the construction and deployment of applications. As always, the first step in securing the software supply chain is awareness. In this case, customers need to be aware of the software components, tooling, and infrastructure that make up their application software supply chains, and take steps to reduce risk at every turn. Tracking vulnerabilities in the supply chain enables organizations to respond quickly by upgrading their deployment of Gitlab. Affected Gitlab users are urged to upgrade as quickly as possible.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.