CVE-2024-5655

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 15.8 through 16.11.5 GitLab CE/EE versions 17.0 through 17.0.3 GitLab CE/EE versions 17.1 through 17.1.1

Description An issue in GitLab CE/EE allows an attacker to trigger a pipeline as another user under certain circumstances. The vulnerability is related to access control issues, which can be exploited by a remote attacker to execute arbitrary code by running pipelines on behalf of other users. The estimated severity of this issue is high, with a potential impact on the security of software development. There are also mentions of other vulnerabilities, including stored XSS and CSRF issues.

Recommendations For GitLab CE/EE versions 15.8 through 16.11.5, update to version 16.11.5 or later. For GitLab CE/EE versions 17.0 through 17.0.3, update to version 17.0.3 or later. For GitLab CE/EE versions 17.1 through 17.1.1, update to version 17.1.1 or later. As a temporary workaround, consider restricting access to CI/CD pipelines to minimize the risk of exploitation. Additionally, disabling authentication using CI JOB TOKEN by default and preventing automatic pipeline runs when the target branch is changed in a merge request can help mitigate the issue.