Blog Security Group Runner Registration Token Vulnerability
Published on: April 10, 2019
2 min read

Group Runner Registration Token Vulnerability

How we responded to a vulnerability in group runner registration tokens.

security-cover-new.png

In keeping with GitLab’s value of transparency we believe in communicating potential and confirmed security incidents clearly and promptly. GitLab takes the security and privacy of your data extremely seriously. We will always take the most expedient and effective action to prevent and mitigate security risks, and will strive to use those lessons learned to improve our security posture and protect customer data.

Background

On April 5, 2019 we received a submission through our public HackerOne program by storm_spirit describing a vulnerability which exposed Group Runner Registration Tokens. Although there is no evidence to suggest that any projects on GitLab.com have been accessed in an unauthorized manner, we took the action to reset all group registration tokens on GitLab.com earlier this week. For GitLab.com customers, no further action is required. For self-managed customers, please see the Action Required section below for further instructions.

Response and mitigation

Following analysis of the vulnerability and impacted areas of GitLab, a patch was deployed to GitLab.com on April 8, 2019 and between 09:00 - 09:40 UTC and the Group Runner Registration Tokens were reset for all groups hosted on GitLab.com. The results of this deployment allowed us to validate the fix and confidently include it as part of the GitLab Enterprise Edition (EE) 11.9.7, 11.8.7, and 11.7.11 critical security releases.

In parallel to the analysis, an investigation found no evidence to suggest any projects on GitLab.com had been compromised as a result of this vulnerability. We will continue to monitor for any related impact on GitLab.com.

Action Required

We strongly recommend all self-managed instances of GitLab Enterprise Edition to be upgraded to 11.9.7, 11.8.7, or 11.7.11 to resolve this vulnerability.

Self-managed instances of GitLab Community Edition are not affected by this vulnerability and no further action is required.

Gitlab.com users are no longer at risk to the vulnerability following the April 8th patch and no action is required. If you are experiencing issues with Runners related to Registration Tokens, we encourage you to review our Runner documentation or contact GitLab Support for further assistance.

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

Find out which plan works best for your team

Learn about pricing

Learn about what GitLab can do for your team

Talk to an expert