PT-2024-10153 · Gitlab · Gitlab Ce/Ee

CVE-2024-12570

·

Published

2024-12-12

·

Updated

2024-12-16

CVSS v2.0

6.8

Medium

VectorAV:N/AC:H/Au:S/C:C/I:C/A:P
Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 13.7 through 17.4.6 GitLab CE/EE versions 17.5 through 17.5.4 GitLab CE/EE versions 17.6 through 17.6.2
Description An issue has been discovered in GitLab CE/EE that may have allowed an attacker with a victim's CI JOB TOKEN to obtain a GitLab session token belonging to the victim. This issue is related to errors in privilege context switching. Exploitation of this issue could allow a remote attacker to gain unauthorized access to protected information.
Recommendations For GitLab CE/EE versions 13.7 through 17.4.6, update to version 17.4.6 or later to resolve the issue. For GitLab CE/EE versions 17.5 through 17.5.4, update to version 17.5.4 or later to resolve the issue. For GitLab CE/EE versions 17.6 through 17.6.2, update to version 17.6.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the CI JOB TOKEN to minimize the risk of exploitation.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2025-00479
BIT-GITLAB-2024-12570
CVE-2024-12570

Affected Products

Gitlab Ce/Ee