Login Sign Up

CVE-2023-2478

9.6 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability allows unauthorized GitLab users to attach malicious runners to any project via a GraphQL endpoint. It affects GitLab Community Edition and Enterprise Edition installations running vulnerable versions. Attackers could potentially execute arbitrary code on affected systems.

💻 Affected Systems

Products:
  • GitLab Community Edition
  • GitLab Enterprise Edition
Versions: 15.4 to 15.9.6, 15.10 to 15.10.5, 15.11 to 15.11.1
Operating Systems: All platforms running GitLab
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all deployments with GraphQL enabled (default). Requires at least one unauthorized user account.

📦 What is this software?

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker gains full control of the GitLab server through malicious runner execution, leading to data theft, system compromise, and lateral movement within the network.

🟠

Likely Case

Unauthorized users attach malicious runners to projects, potentially executing arbitrary code in the context of the GitLab runner, compromising project data and CI/CD pipelines.

🟢

If Mitigated

With proper access controls and network segmentation, impact is limited to specific projects, but unauthorized runner attachments could still occur.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires a malicious user account but no special privileges. Public HackerOne report details the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 15.9.7, 15.10.6, or 15.11.2

Vendor Advisory: https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2478.json

Restart Required: Yes

Instructions:

1. Backup your GitLab instance. 2. Update to GitLab 15.9.7, 15.10.6, or 15.11.2 using your package manager. 3. Restart GitLab services. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable GraphQL endpoint

all

Temporarily disable GraphQL API to prevent exploitation

Edit GitLab configuration to disable GraphQL (not recommended for production)

Restrict user registration

all

Prevent new unauthorized user accounts from being created

Set signup_enabled to false in gitlab.rb configuration

🧯 If You Can't Patch

  • Implement strict access controls to limit who can create user accounts
  • Monitor GraphQL endpoint logs for unauthorized runner attachment attempts

🔍 How to Verify

Check if Vulnerable:

Check GitLab version via admin panel or command line. If version falls within affected ranges, system is vulnerable.

Check Version:

sudo gitlab-rake gitlab:env:info | grep Version

Verify Fix Applied:

Verify GitLab version is 15.9.7, 15.10.6, 15.11.2 or higher. Test GraphQL runner attachment with unauthorized user.

📡 Detection & Monitoring

Log Indicators:

  • GraphQL queries for runner registration from unauthorized users
  • Unexpected runner attachments in project logs

Network Indicators:

  • GraphQL API requests to /api/graphql endpoint from unexpected sources

SIEM Query:

source="gitlab" AND ("graphql" AND "runner" AND "register")

📊 Metadata

CVE ID: CVE-2023-2478
CVSS v3 Score: 9.6 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
CWE: CWE-732
Published: May 8, 2023
Last Updated: January 29, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-2478, you might also want to check these:

CVE-2021-33509 9.9

This vulnerability allows remote authenticated managers in Plone to perform arbitrary disk I/O opera...

Same vulnerability type (CWE-732)
CVE-2024-5618 9.9

This vulnerability allows attackers to access functionality they shouldn't have permission to use in...

Same vulnerability type (CWE-732)
CVE-2023-40622 9.9

This vulnerability in SAP BusinessObjects Business Intelligence Platform allows authenticated attack...

Same vulnerability type (CWE-732)