CVE-2024-9164 — Missing Authentication for Critical Function in Gitlab

CWE-306 — Missing Authentication for Critical Function6 documents6 sources

Severity

8.8HIGHNVD

EPSS

0.2%

top 55.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab EE

Timeline

PublishedOct 11

Description

An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages5 packages

▶CVEListV5gitlab/gitlab12.5 — 17.2.9+2

▶NVDgitlab/gitlab12.5.0 — 17.2.9+2

▶debiandebian/gitlab

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ee

🔴Vulnerability Details

GHSA

GHSA-xc4q-wvjc-4v56: An issue was discovered in GitLab EE affecting all versions starting from 12↗2024-10-11

▶

OSV

CVE-2024-9164: An issue was discovered in GitLab EE affecting all versions starting from 12↗2024-10-11

▶

📋Vendor Advisories

GitLab

CVE-2024-9164: An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from↗2024-10-11

▶

Debian

CVE-2024-9164: gitlab - An issue was discovered in GitLab EE affecting all versions starting from 12.5 p...↗2024

▶

🕵️Threat Intelligence

Bleepingcomputer

GitLab warns of critical arbitrary branch pipeline execution flaw↗2024-10-10

▶