CVE-2024-12570 – This vulnerability allows an attacker who obtai... (How to Fix)

Q: What is the severity of CVE-2024-12570?

CVE-2024-12570 has a CVSS score of 6.7 (MEDIUM). This vulnerability allows an attacker who obtains a victim's CI_JOB_TOKEN to potentially steal the victim's GitLab session token. This affects GitLab CE/EE instances running vulnerable versions, potentially enabling unauthorized access to the victim's GitLab account.

📋 TL;DR

This vulnerability allows an attacker who obtains a victim's CI_JOB_TOKEN to potentially steal the victim's GitLab session token. This affects GitLab CE/EE instances running vulnerable versions, potentially enabling unauthorized access to the victim's GitLab account.

💻 Affected Systems

Products:

GitLab Community Edition
GitLab Enterprise Edition

Versions: 13.7 to 17.4.5, 17.5 to 17.5.3, 17.6 to 17.6.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments using CI_JOB_TOKENs are affected if running vulnerable versions.

📦 What is this software?

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains full access to victim's GitLab account, including repositories, pipelines, and sensitive data, leading to data theft, code manipulation, or lateral movement.

🟠

Likely Case

Attacker obtains limited session access to perform actions as the victim within GitLab, potentially accessing private repositories or CI/CD pipelines.

🟢

If Mitigated

With proper token management and monitoring, impact is limited to temporary session hijacking that can be quickly detected and revoked.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires attacker to obtain victim's CI_JOB_TOKEN first, which typically requires some initial access or social engineering.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 17.4.6, 17.5.4, 17.6.2

Vendor Advisory: https://gitlab.com/gitlab-org/gitlab/-/issues/494694

Restart Required: Yes

Instructions:

1. Backup your GitLab instance. 2. Update to patched version: 17.4.6, 17.5.4, or 17.6.2. 3. Restart GitLab services. 4. Verify update completed successfully.

🔧 Temporary Workarounds

Rotate CI_JOB_TOKENs

linux

Force rotation of all CI_JOB_TOKENs to invalidate potentially compromised tokens.

gitlab-rake gitlab:ci_job_token:rotate_all

Restrict CI_JOB_TOKEN scope

all

Limit CI_JOB_TOKEN permissions to minimum required using GitLab CI/CD settings.

🧯 If You Can't Patch

Implement strict monitoring of CI_JOB_TOKEN usage and session activity.
Enforce multi-factor authentication for all user accounts to reduce impact of session theft.

🔍 How to Verify

Check if Vulnerable:

Check GitLab version via admin panel or command: gitlab-rake gitlab:env:info

Check Version:

gitlab-rake gitlab:env:info | grep -i version

Verify Fix Applied:

Confirm version is 17.4.6, 17.5.4, 17.6.2 or higher using same command.

📡 Detection & Monitoring

Log Indicators:

Unusual CI_JOB_TOKEN usage patterns
Multiple session creations from same CI_JOB_TOKEN
Session tokens generated from unexpected IPs

Network Indicators:

API calls using CI_JOB_TOKENs from unusual locations
Session token requests following CI_JOB_TOKEN usage

SIEM Query:

source="gitlab" AND ("CI_JOB_TOKEN" OR "session_token") AND action="create" | stats count by src_ip, user

📊 Metadata

CVE ID: CVE-2024-12570

CVSS v3 Score: 6.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L

CWE: CWE-270

Published: December 12, 2024

Last Updated: July 11, 2025

🔗 References

https://gitlab.com/gitlab-org/gitlab/-/issues/494694 Exploit,Issue Tracking,Vendor Advisory
https://hackerone.com/reports/2724948 Permissions Required

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12570, you might also want to check these: