GitLab EE Cross-Project Access Vulnerability for Security Policy Bot

A vulnerability in GitLab EE allows the 'gitlab-security-policy-bot' to bypass cross-project access restrictions and execute CI/CD pipelines in other projects. This issue affects all versions from 16.0 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. The vulnerability arises because the 'CI_JOB_TOKEN' of the security policy bot can be used to access private repositories and CI variables, and to trigger pipelines that control deployments and environments.

Impact

Exploitation of this vulnerability allows an attacker to run CI/CD pipeline jobs as the 'gitlab-security-policy-bot', accessing private repositories and CI variables, and potentially manipulating deployments and environments.

Reproduction

To reproduce this vulnerability, two GitLab instances are needed. The first instance should have a public project with the 'gitlab-security-policy-bot' as a member. The second instance, controlled by the attacker, should be used to create a group and project that will be imported into the first instance. After importing, the attacker can merge a request that triggers a pipeline job in the victim project, using the 'CI_JOB_TOKEN' to access and execute actions as the security policy bot.

Remediation

Users can update to GitLab versions 17.2.2 or 17.1.4 to address this vulnerability.