GitLab Improper Access Control Vulnerability in Runners API Allows Unauthorized Access to Pipeline Job Information

A vulnerability exists in GitLab Community Edition (CE) and Enterprise Edition (EE) versions 15.1 prior to 18.7.6, 18.8 prior to 18.8.6, and 18.9 prior to 18.9.2. Under certain conditions, this vulnerability could have allowed an authenticated user to access previous pipeline job information on projects where the repository and CI/CD features were disabled, due to inadequate authorization checks.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive pipeline job information, potentially allowing users to gain insights into project activities and workflows that are meant to be private.

Remediation

Users are advised to upgrade to GitLab versions 18.9.2, 18.8.6, or 18.7.6. Instructions for updating GitLab can be found on the GitLab Update page. For GitLab Runner, refer to the Updating the Runner page.