Arbitrary Pipeline Access Vulnerability in GitLab EE

CVE-2024-9164

9.6CRITICAL

Key Information

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 11 October 2024

Badges

😄 Trended📰 News Worthy

Summary

The article discusses a critical vulnerability in GitLab, identified as CVE-2024-9164, which allows the execution of arbitrary pipelines on arbitrary branches. This vulnerability has a CVSS score of 9.6 out of 10, making it highly severe. GitLab has released security updates to address this and seven other security flaws, with four rated as high severity, two as medium, and one as low. While there is no evidence of active exploitation, users are advised to update their instances to the latest version to guard against potential threats.

Affected Version(s)

GitLab < 17.2.9

GitLab < 17.3.5

GitLab < 17.4.2

News Articles

The Hacker News

CVE-2024-9164

New Critical GitLab Vulnerability Could Allow Arbitrary CI/CD Pipeline Execution

GitLab fixes eight security flaws, including a critical CI/CD pipeline vulnerability CVE-2024-9164. Update now!

5 days ago

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability started trending.
Oct 12, 2024
First article discovered by The Hacker News
Oct 11, 2024
Vulnerability published.
Oct 11, 2024
Vulnerability Reserved.
Sep 24, 2024

Collectors

NVD DatabaseMitre Database1 News Article(s)

Credit

Thanks [pwnie](https://hackerone.com/pwnie) for reporting this vulnerability through our HackerOne bug bounty program