CVE-2024-9164

CRITICAL

GitLab 12.5.0-17.2.8, 17.3.0-17.3.4, 17.4.0-17.4.1 - Unauthenticated Pipeline Execution on Arbitrary Branches

Title source: llm
STIX 2.1

Description

An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches.

References (2)

Core 2
Core References
Broken Link issue-tracking permissions-required
https://gitlab.com/gitlab-org/gitlab/-/issues/493946
Permissions Required technical-description exploit permissions-required
https://hackerone.com/reports/2711204

Scores

CVSS v3 9.6
EPSS 0.0015
EPSS Percentile 35.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-306
Status published
Products (1)
gitlab/gitlab 12.5.0 - 17.2.9 (2 CPE variants)
Published Oct 11, 2024
Tracked Since Feb 18, 2026