Description: An issue was discovered in GitLab CE/EE affecting all versions starting from 11.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows an attacker to trigger a pipeline as another user under certain circumstances.
CVE-2024-8970
Published Date: 2024-10-11T13:15:17.270
Last Modified: 2024-10-11T13:15:17.270
CVSS Score: 8.2 (HIGH)
EPSS Score: 0.04%
Risk Score: 5.74 (HIGH)
Risk Score based on CVSS score and EPSS. This score is for reference purposes and is not internationally recognized.
CVSS:
8.2 |
EPSS:
0.04%
Mitre ATT&CK Technical v15.1
T1053.002 – At
Technical Analysis & Mitigation Measures
1. Technical Attack Analysis:
– Attack Techniques:
– T1053.002 – At : This technique involves the scheduling of tasks or jobs to execute malicious payloads or commands. In this case, the vulnerability allows an attacker to trigger a CI/CD pipeline that can execute arbitrary code or commands in the context of another user.
– Exploitation Outcomes :
– Unauthorized access to sensitive data or environment variables.
– Execution of malicious scripts or commands with elevated privileges.
– Potential compromise of the CI/CD environment, leading to further exploitation of application dependencies or infrastructure.
– Disruption of service or denial of availability to legitimate users.
– Manipulation of code repositories, potentially leading to supply chain attacks.
2. Mitigation Measures:
– Apply the latest security patches for GitLab.
– Implement strict user access controls and permissions.
– Monitor and log all pipeline executions for anomalies.
– Use feature flags to control access to pipeline triggering features.
– Conduct regular security audits of CI/CD configurations.
– Educate users about secure practices and the implications of triggering pipelines.
– Implement multi-factor authentication for all users.
– Limit the scope of user roles and permissions based on the principle of least privilege.
The content above is generated by AI. Please review and consider carefully before applying!
Reference Links
Vendor - Produce - Version
None
Disclaimer
The content on this website is automatically sourced from external websites such as the National Vulnerability Database (NVD), GitHub, and other security-related sources. This content is for reference purposes only, and we are not responsible for the accuracy or integrity of the information linked or displayed from these sources.