Analysis Summary

CVE-2024-9693 CVSS:8.5

GitLab Community Edition and Enterprise Edition could allow a remote authenticated attacker to bypass security restrictions, caused by improper access control. By sending a specially crafted request, an attacker could exploit this vulnerability to access to the Kubernetes agent in a cluster under specific configurations.

CVE-2024-8970 CVSS:8.2

GitLab Community Edition and Enterprise Edition could allow a remote authenticated attacker to bypass security restrictions. By sending a specially crafted request, an attacker could exploit this vulnerability to trigger a pipeline as another user under certain circumstances.

CVE-2024-9164 CVSS:9.6

GitLab Community Edition and Enterprise Edition could allow a remote authenticated attacker to bypass security restrictions. By sending a specially crafted request, an attacker could exploit this vulnerability to run pipelines on arbitrary branches.

CVE-2024-8977 CVSS:8.2

GitLab Community Edition and Enterprise Edition are vulnerable to server-side request forgery, caused by a flaw in the Analytics Dashboard. A remote authenticated attacker could exploit this vulnerability to conduct an SSRF attack, allowing the attacker to access or manipulate resources from the perspective of the affected server.

Impact

• Security Bypass
• Gain Access

Indicators of Compromise

CVE

• CVE-2024-9693
• CVE-2024-8970
• CVE-2024-9164
• CVE-2024-8977

Affected Vendors

Remediation

Upgrade to the latest version of GitLab Community Edition and Enterprise Edition, available from the GitLab Website.

CVE-2024-9693

CVE-2024-8970

CVE-2024-9164

CVE-2024-8977