Severity
High
Analysis Summary
CVE-2024-9693 CVSS:8.5
GitLab Community Edition and Enterprise Edition could allow a remote authenticated attacker to bypass security restrictions, caused by improper access control. By sending a specially crafted request, an attacker could exploit this vulnerability to access to the Kubernetes agent in a cluster under specific configurations.
CVE-2024-8970 CVSS:8.2
GitLab Community Edition and Enterprise Edition could allow a remote authenticated attacker to bypass security restrictions. By sending a specially crafted request, an attacker could exploit this vulnerability to trigger a pipeline as another user under certain circumstances.
CVE-2024-9164 CVSS:9.6
GitLab Community Edition and Enterprise Edition could allow a remote authenticated attacker to bypass security restrictions. By sending a specially crafted request, an attacker could exploit this vulnerability to run pipelines on arbitrary branches.
CVE-2024-8977 CVSS:8.2
GitLab Community Edition and Enterprise Edition are vulnerable to server-side request forgery, caused by a flaw in the Analytics Dashboard. A remote authenticated attacker could exploit this vulnerability to conduct an SSRF attack, allowing the attacker to access or manipulate resources from the perspective of the affected server.
Impact
- Security Bypass
- Gain Access
Indicators of Compromise
CVE
- CVE-2024-9693
- CVE-2024-8970
- CVE-2024-9164
- CVE-2024-8977
Affected Vendors
Affected Products
- GitLab - 17.5.1
- GitLab - 17.4.3
- GitLab - 17.3.6
- GitLab - 16.0 - 17.4.0 - 17.5.0
- GitLab Community Edition (CE) and Enterprise Edition (EE) - 17.4.1
- GitLab Community Edition (CE) and Enterprise Edition (EE) - 17.3.4
- GitLab Community Edition (CE) and Enterprise Edition (EE) - 17.2.8
- GitLab - 15.10 - 17.3 - 17.4
Remediation
Upgrade to the latest version of GitLab Community Edition and Enterprise Edition, available from the GitLab Website.