FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

CVE-2024-9164

Missing Authentication for Critical Function (CWE-306)

Published: Oct 11, 2024 / Updated: 39d ago

010
CVSS 9.6EPSS 0.04%Critical
CVE info copied to clipboard

Summary

An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches. This vulnerability is related to Missing Authentication for Critical Function (CWE-306).

Impact

This vulnerability has a high severity with a CVSS v3.1 base score of 9.6. It allows attackers to run pipelines on arbitrary branches, potentially leading to unauthorized code execution and data manipulation. The impact on confidentiality and integrity is high, while availability is not affected. The attack vector is network-based, requires low attack complexity, and needs low privileges to exploit. No user interaction is required, and the scope is changed, indicating potential impact beyond the vulnerable component.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

Patches are available. GitLab has released fixed versions: 17.2.9, 17.3.5, and 17.4.2. Users should upgrade to these patched versions or later to mitigate the vulnerability.

Mitigation

1. Immediately upgrade GitLab EE to the latest patched versions: 17.2.9, 17.3.5, 17.4.2, or later. 2. If immediate patching is not possible, consider restricting network access to the GitLab instance to trusted IP addresses only. 3. Monitor GitLab logs for any suspicious pipeline activities, especially those running on unexpected branches. 4. Implement strong authentication mechanisms and access controls for GitLab users and integrations. 5. Regularly review and audit pipeline configurations and permissions. 6. Keep abreast of GitLab security announcements and apply future security updates promptly.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9164. See article

Oct 9, 2024 at 10:23 PM / GitLab
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 10, 2024 at 5:56 AM
Threat Intelligence Report

CVE-2024-9164 is a critical vulnerability in GitLab, with a CVSS score of 9.6, that allows malicious actors to run pipelines on arbitrary branches, potentially leading to unauthorized access to sensitive data and systems. GitLab has released patches in versions 17.4.2, 17.3.5, and 17.2.9 for both Community and Enterprise Editions, and users are strongly urged to upgrade immediately to mitigate this risk. The article does not mention any proof-of-concept exploits or specific instances of exploitation in the wild. See article

Oct 10, 2024 at 10:03 AM
CVE Assignment

NVD published the first details for CVE-2024-9164

Oct 11, 2024 at 1:15 PM
CVSS

A CVSS base score of 9.6 has been assigned.

Oct 11, 2024 at 1:20 PM / nvd
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (208737)

Oct 11, 2024 at 5:15 PM
Trending

This CVE started to trend in security discussions

Oct 11, 2024 at 7:52 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.7%)

Oct 12, 2024 at 10:03 AM
Trending

This CVE stopped trending in security discussions

Oct 14, 2024 at 12:19 PM
Static CVE Timeline Graph

Affected Systems

Gitlab/gitlab
+null more

Attack Patterns

CAPEC-12: Choosing Message Identifier
+null more

References

CVE-2024-9164 (CVSS 9.6): GitLab Users Urged to Update Now
Cyber Security News Aggregator / 40d
Summary: GitLab has released critical security updates in versions 17.4.2, 17.3.5, and 17.2.9 for both Community and Enterprise Editions to address several significant vulnerabilities, including a critical flaw (CVE-2024-9164) that could allow unauthorized access to pipelines. These updates address several significant vulnerabilities, including a critical severity flaw (CVE-2024-9164) that could allow attackers to run pipelines on arbitrary branches, posing a major security risk to affected instances.

News

CVE-2024-9164: GitLab EE Permission Bypass Vulnerability
Sangfor / 12d
On October 10, 2024, Sangfor FarSight Labs received notification that a GitLab component contains information of Permission Bypass Vulnerability (CVE-2024-9164), classified as Critical in threat level. Support is provided for the proactive detection of GitLab; and it is capable of batch identifying the affected asset conditions of this event in business scenarios.
October 2024: Biggest Cyber Attacks, Data Breaches, Ransomware Attacks
Cybersecurity Blog / 18d
Henry Schein has finally disclosed a data breach following at least two back-to-back cyber attacks in 2023 by the BlackCat Ransomware gang, revealing that over 160,000 people had their personal information stolen. October 2024 saw several high-profile cyber attacks, ransomware incidents, and data breaches, affecting a range of industries from healthcare and finance to retail and government.
Update Mon Oct 28 14:36:14 UTC 2024
Recent Commits to cve:main / 22d
Update Mon Oct 28 14:36:14 UTC 2024
Vulnerability Notice – Adobe, Gitlab, Latepoint plugin (Wordpress), Oracle, Telerik Report Server
Google Alert - Critical vulnerabilities / 28d
Gitlab has released a security update to address a critical-severity vulnerability (CVE-2024-9164) in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches. LatePoint plugin for WordPress has been updated to address two critical-severity vulnerabilities affecting versions up to and including 5.0.12.
Vulnerability Summary for the Week of October 7, 2024
Totally Secure / 28d
High Vulnerabilities Primary Vendor — Product Description Published CVSS Score Source Info Patch Info adobe — animate Animate versions 23.0.7, 24.0.4 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-10-09 7.8 CVE-2024-47410 psirt@adobe.com adobe — animate Animate versions 23.0.7, 24.0.4 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-10-09 7.8 CVE-2024-47411 psirt@adobe.com adobe — animate Animate versions 23.0.7, 24.0.4 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-10-09 7.8 CVE-2024-47412 psirt@adobe.com adobe — animate Animate versions 23.0.7, 24.0.4 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-10-09 7.8 CVE-2024-47413 psirt@adobe.com adobe — animate Animate versions 23.0.7, 24.0.4 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
See 81 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Changed
Confidentiality:High
Integrity:High
Availability Impact:None

Categories

CVSS 9.6(27010)CWE-306(1267)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial