Warning – Critical GitLab Vulnerability Could Allow Attackers to Steal Runner Registration Tokens
Unpatched versions of Gitlab CE/EE are vulnerable to information disclosure using quick actions commands, allowing an unauthorized user to steal runner registration tokens.
An issue has been discovered in GitLab CE/EE affecting all versions prior 14.8.2, 14.7.4, and 14.6.5.
This information disclosure vulnerability allows an unauthorized user to steal runner registration tokens using quick actions commands.
This vulnerability was disclosed to Gitlab through the HackerOne bug bounty program.
Gitlab has released versions 14.8.2, 14.7.4, and 14.6.5 for both the Community Edition and Enterprise edition, which also serves as the monthly security release for February.
Gitlab strongly recommends that all GitLab installations be upgraded to one of these versions immediately.