CVE-2024-8970
📋 TL;DR
This vulnerability in GitLab allows an attacker to trigger CI/CD pipelines as another user under specific conditions, potentially executing unauthorized code or accessing sensitive data. It affects GitLab Community Edition (CE) and Enterprise Edition (EE) across multiple version ranges. Organizations using affected GitLab instances for CI/CD pipelines are at risk.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
An attacker could execute arbitrary code in CI/CD pipelines with elevated privileges, potentially compromising the entire GitLab instance, stealing source code, secrets, or deploying malicious artifacts to production environments.
Likely Case
Attackers could trigger pipelines to exfiltrate sensitive data like API keys, credentials, or source code, or perform unauthorized deployments that could disrupt operations.
If Mitigated
With proper access controls and monitoring, impact is limited to unauthorized pipeline executions that can be detected and rolled back before causing significant damage.
🎯 Exploit Status
Exploitation requires some level of access to the GitLab instance and specific conditions. The HackerOne report suggests authenticated access may be needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 17.2.9, 17.3.5, 17.4.2
Vendor Advisory: https://gitlab.com/gitlab-org/gitlab/-/issues/490916
Restart Required: Yes
Instructions:
1. Backup your GitLab instance. 2. Update to GitLab 17.2.9, 17.3.5, or 17.4.2 depending on your current version. 3. Restart GitLab services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable CI/CD for untrusted projects
allTemporarily disable CI/CD pipeline execution for projects where users have limited trust or where pipeline execution isn't critical.
Navigate to Project Settings > CI/CD > General pipelines and disable pipelines
Restrict pipeline triggers
allLimit who can trigger pipelines and require manual approval for sensitive projects.
Navigate to Project Settings > CI/CD > Pipeline triggers and restrict access
🧯 If You Can't Patch
- Implement strict access controls and review all pipeline execution permissions
- Enable detailed logging and monitoring for all pipeline executions and review logs regularly
🔍 How to Verify
Check if Vulnerable:
Check your GitLab version via the admin interface or run: sudo gitlab-rake gitlab:env:info | grep 'GitLab version'Check Version:
sudo gitlab-rake gitlab:env:info | grep 'GitLab version'Verify Fix Applied:
Verify version is 17.2.9, 17.3.5, or 17.4.2 or higher using the same command📡 Detection & Monitoring
Log Indicators:
- Unexpected pipeline triggers from unusual users or IPs
- Pipeline executions with elevated privileges
- Failed authentication attempts followed by pipeline triggers
Network Indicators:
- Unusual API calls to pipeline trigger endpoints
- Increased traffic to CI/CD runners from unexpected sources
SIEM Query:
source="gitlab" AND (event="pipeline_triggered" OR event="job_started") AND user!="expected_user"