CVE-2020-10981

Vulnerability

In GitLab EE/CE versions 9.0 through 12.9, a project maintainer can modify the pipeline trigger description of another maintainer within the same project. This vulnerability allows a user with the Maintainer role to alter pipeline trigger descriptions that were created by other Maintainers, which should normally require the original author's privileges or additional permissions. The issue affects all instances running the affected versions.

Exploitation

To exploit this vulnerability, an attacker must have the Maintainer role in a GitLab project that uses pipeline triggers. The attacker can navigate to the pipeline triggers settings and modify the description of another maintainer's trigger. The user interaction required is limited to accessing the project settings and performing the modification; no special timing or race conditions are involved. The attacker does not need to know the trigger token or have access to the trigger itself beyond the project settings.

Impact

Successful exploitation allows the attacker to change the description of another maintainer's pipeline trigger. This can lead to confusion or misdirection regarding the purpose of the trigger, potentially enabling social engineering or subtle manipulation of CI/CD processes. It does not directly allow code execution or data exfiltration, but it violates the principle of least privilege and could be used to obscure malicious changes to pipeline configurations.

Mitigation

GitLab addressed this vulnerability in version 12.9.1, released on March 26, 2020 [2]. Users running GitLab 9.0 through 12.9 should upgrade to 12.9.1 or later to apply the fix. No workarounds are documented, and as of the publication date, this CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.