N/A

A command injection vulnerability was discovered in Gitlab runner versions prior to 13.2.4, 13.3.2 and 13.4.1. When the runner is configured on a Windows system with a docker executor, which allows the attacker to run arbitrary commands on Windows host, via DOCKER_AUTH_CONFIG build variable.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

N/A

Gitlab runner 命令注入漏洞

GitLab是美国GitLab公司的一款使用Ruby on Rails开发的、自托管的、Git（版本控制系统）项目仓库应用程序。该程序可用于查阅项目的文件内容、提交历史、Bug列表等。 Gitlab runner 13.2.4之前版本,13.3.2版本，13.4.1版本存在安全漏洞，该漏洞源于在Windows系统上docker executor,攻击者可利用该漏洞在Windows主机上运行任意命令,通过DOCKER_AUTH_CONFIG构建变量。

N/A

N/A