Unrated severityNVD Advisory· Published Dec 12, 2024· Updated Dec 17, 2024

Privilege Context Switching Error in GitLab

CVE-2024-12570

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 prior to 17.4.6, from 17.5 prior to 17.5.4, and from 17.6 prior to 17.6.2. It may have been possible for an attacker with a victim's CI_JOB_TOKEN to obtain a GitLab session token belonging to the victim.

Affected products

GitLab Inc./GitLabv52 versions
cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*range: 13.7
- (no CPE)range: >=13.7 <17.4.6 || >=17.5 <17.5.4 || >=17.6 <17.6.2
osv-coords8 versions
pkg:apk/chainguard/gitlab-base-fips-17.6 pkg:apk/chainguard/gitlab-cng-fips-17.6 pkg:apk/chainguard/gitlab-container-registry-fips-17.6 pkg:apk/chainguard/gitlab-elasticsearch-indexer-fips-17.6 pkg:apk/chainguard/gitlab-logger-fips-17.6 pkg:apk/chainguard/gitlab-shell-fips-17.6 pkg:apk/chainguard/gitlab-toolbox-fips-17.6 pkg:bitnami/gitlab
< 17.6.5-r0+ 7 more
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: >= 13.7.0, < 17.4.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

hackerone.com/reports/2724948mitretechnical-descriptionexploitpermissions-required
gitlab.com/gitlab-org/gitlab/-/issues/494694mitreissue-trackingpermissions-required

News mentions

GitLab Patch Release: 17.6.2, 17.5.4, 17.4.6
GitLab Security Releases · Dec 11, 2024

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000