GitLab Critical Security Release: 15.11.2, 15.10.6, and 15.9.7

GitLab has released version 15.11.2, 15.10.6, and 15.9.7 containing critical security fixes, and urges all GitLab installations to upgrade immediately. GitLab.com is already running the patched version. Two types of security releases are available: a monthly scheduled security release and ad-hoc security releases for critical vulnerabilities. It is recommended that all customers upgrade to the latest security release for their supported version to maintain good security hygiene.

Recommended Action

All installations running affected versions should upgrade to the latest version as soon as possible.

Table of Fixes

The following security issue was addressed:

• Malicious Runner Attachment via GraphQL: A vulnerability affecting all versions starting from 15.4 before 15.9.7, all versions starting from 15.10 before 15.10.6, and all versions starting from 15.11 before 15.11.2 was discovered, allowing any GitLab user account to attach a malicious runner to any project on the instance through a GraphQL endpoint. The issue has been assigned CVE-2023-2478 and is now mitigated in the latest release.

Receive Security Release Notifications

To receive security release notifications to your inbox, visit GitLab's contact page.