Unauthorized Access to Kubernetes Agent in GitLab CE/EE Clusters
CVE-2024-9693

8.8HIGH

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 14 November 2024

Summary

A vulnerability affecting GitLab CE/EE could allow unauthorized access to the Kubernetes agent within clusters configured in specific ways. This issue impacts all versions of GitLab starting from 16.0 up to 17.3.6, starting from 17.4 up to 17.4.3, and starting from 17.5 up to 17.5.1. Organizations using these versions should evaluate their configurations and apply necessary updates to maintain the integrity of their Kubernetes environments.

Affected Version(s)

GitLab 16.0 < 17.3.7

GitLab 17.4.0 < 17.4.4

GitLab 17.5.0 < 17.5.2

References

https://gitlab.com/gitlab-org/gitlab/-/issues/497449

issue-trackingpermissions-required

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 14, 2024

Credit

This vulnerability was found internally by a GitLab team member [Tiger Watson](https://gitlab.com/tigerwnz).