Attacker can trigger pipeline as another user
CVE-2024-5655
Key Information
- Vendor
- Gitlab
- Status
- Gitlab
- Vendor
- CVE Published:
- 27 June 2024
Badges
Summary
An issue was discovered in GitLab CE/EE affecting all versions starting from 15.8 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows an attacker to trigger a pipeline as another user under certain circumstances.
Affected Version(s)
GitLab < 16.11.5
GitLab < 17.0.3
GitLab < 17.1.1
News Articles
GitLab Sends Users Scrambling Again With New CI/CD Pipeline Takeover Vuln
The bug is similar — but not identical — to a critical flaw GitLab patched just two weeks ago.
5 months ago
Over a dozen GitLab vulnerabilities addressed
Most severe of the addressed flaws is a critical bug in GitLab CE/EE versions newer than 15.8, 17.0, and 17.1, tracked as CVE-2024-5655, which could be leveraged to facilitate automated execution of a pipeline upon the automated re-targeting of a merge request.
5 months ago
Critical GitLab Bug Threatens Software Development Pipelines
The company is urging users running vulnerable versions to patch CVE-2024-5655 immediately, to avoid CI/CD malfeasance.
6 months ago
Refferences
CVSS V3.1
Timeline
- 🔴
Public PoC available
- 👾
Exploit known to exist
First article discovered by The Hacker News
Vulnerability published