CVE-2024-8641

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 13.7 through 17.1.7 GitLab CE/EE versions 17.2 through 17.2.5 GitLab CE/EE versions 17.3 through 17.3.2

Description An issue has been discovered in GitLab CE/EE that may have allowed an attacker with a victim's CI JOB TOKEN to obtain a GitLab session token belonging to the victim. The vulnerability is related to errors in privilege context switching, which could allow a remote attacker to elevate their privileges and gain unauthorized access to protected information.

Recommendations For GitLab CE/EE versions 13.7 through 17.1.7, update to version 17.1.7 or later. For GitLab CE/EE versions 17.2 through 17.2.5, update to version 17.2.5 or later. For GitLab CE/EE versions 17.3 through 17.3.2, update to version 17.3.2 or later. As a temporary workaround, consider restricting access to CI JOB TOKEN to minimize the risk of exploitation.