CVE-2024-12570

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 13.7 through 17.4.6 GitLab CE/EE versions 17.5 through 17.5.4 GitLab CE/EE versions 17.6 through 17.6.2

Description An issue has been discovered in GitLab CE/EE that may have allowed an attacker with a victim's CI JOB TOKEN to obtain a GitLab session token belonging to the victim. This issue is related to errors in privilege context switching. Exploitation of this issue could allow a remote attacker to gain unauthorized access to protected information.

Recommendations For GitLab CE/EE versions 13.7 through 17.4.6, update to version 17.4.6 or later to resolve the issue. For GitLab CE/EE versions 17.5 through 17.5.4, update to version 17.5.4 or later to resolve the issue. For GitLab CE/EE versions 17.6 through 17.6.2, update to version 17.6.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the CI JOB TOKEN to minimize the risk of exploitation.