Corrective updates of the collaborative development platform β GitLab 15.11.2, 15.10.6 and 15.9.7 β have been published, fixing a critical vulnerability (CVE-2023-2478) that allows any authenticated user to attach their own runner handler through manipulations with the GraphQL API ( application for launching tasks when building the project code in a continuous integration system) to any project on the same server. Operating details have not yet been given. The vulnerability has been submitted to GitLab as part of HackerOne's vulnerability bounty program.
Source: opennet.ru