An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances.
The vulnerability classified as CWE-290 (Authentication Bypass by Spoofing) allows an authenticated attacker to bypass identity verification mechanisms under specific circumstances. As a result, the attacker can initiate a CI/CD pipeline as if they were another, arbitrarily chosen user of the system. The vulnerability affects a wide range of versions — all releases from 8.14 and above that have not been patched.
An attacker can run CI/CD pipelines as any user, leading to unauthorized code execution, privilege escalation, leakage of secrets and environment variables stored in the pipeline, as well as compromise of the entire development environment and software supply chain.
Update GitLab CE/EE to version 17.1.7, 17.2.5, or 17.3.2 (depending on the branch in use). Patches were released by the vendor on September 11, 2024, as part of the patch release 17.3.2.
GitLab CE/EE: all versions from 8.14 to 17.1.6 (inclusive), versions 17.2.0–17.2.4, and versions 17.3.0–17.3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HGitLab
APPGitlab8.14.0 – 17.1.7 (bez)17.2.0 – 17.2.5 (bez)17.3.0 – 17.3.2 (bez)
Related vulnerabilities
GitLab: Przejęcie konta przez reset hasła na niezweryfikowany e-mail
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properl...
GitLab CE/EE: uruchomienie pipeline jako inny użytkownik (privilege escalation)
GitLab EE: uruchamianie pipeline CI/CD na dowolnych gałęziach bez autoryzacji
Ruby-SAML: pominięcie weryfikacji podpisu odpowiedzi SAML — Auth Bypass