Résumé
CVE-2024-6385 was a critical improper access control flaw in GitLab Community and Enterprise Edition disclosed on July 11, 2024, affecting versions from 15.8 before 16.11.6, 17.0 before 17.0.4, and 17.1 before 17.1.2, that under certain circumstances let an attacker trigger and run a CI/CD pipeline as another, arbitrary user. The bug stemmed from the pipeline-triggering logic failing to correctly validate the identity of the user on whose behalf a pipeline was started, so jobs executed with the victim's permissions, CI_JOB_TOKEN, and access to their CI/CD secrets such as cloud tokens, Kubernetes service accounts, and attached identities, enabling privilege escalation across the platform. It was effectively a re-fix of CVE-2024-5655 (also critical, disclosed late June 2024), whose root cause was that merge requests automatically retargeted to a new branch upon merge would inadvertently trigger pipeline execution as the original author without manual initiation, with GraphQL CI_JOB_TOKEN authentication being disabled by default as part of the mitigation. Both flaws were rated critical by GitLab and prompted urgent patch guidance.
Comment l’éviter dans votre code
- Patch GitLab CE/EE to 16.11.6, 17.0.4, or 17.1.2 (or later) immediately.
- Restrict who can configure pipeline triggers and merge-request auto-retargeting.
- Scope CI_JOB_TOKEN narrowly and rotate CI/CD secrets and cloud tokens after exposure.
- Apply least privilege to CI service accounts, runners, and pipeline credentials.
- Monitor pipeline runs and job logs for execution under unexpected user identities.
Références
Vulnérabilités liées
Tout Supply chain →- HIGHCVE-2026-50132
Budibase has an Account Impersonation Issue — Chat Identity Link Hijacking via Missing Consent & CSRF
- MEDIUMCVE-2026-31978
motionEye has an Arbitrary File Read via Path Traversal in Picture/Movie Preview Endpoint
- MEDIUMCVE-2024-37155
OpenCTI May Bypass Introspection Restriction
- CRITICALSC-PYTORCH-RUNNER-2024
On January 11, 2024 Praetorian researchers John Stawinski and Adnan Khan publicly disclosed a critical supply-chain attack against PyTorch's GitHub Actions CI, originally reported on August 9, 2023. They first merged a trivial markdown typo fix, which promoted their account to a returning contributor whose pull-request workflows no longer required manual approval. PyTorch ran CI on persistent, non-ephemeral self-hosted runners left at GitHub's default setting that lets fork pull-request workflows execute on them, so a malicious draft PR running a curl-pipe-bash payload executed attacker code directly on the long-lived runner. Because the runner was not torn down between jobs, the attackers stole the runner's GitHub Actions registration token plus a write-scoped GITHUB_TOKEN, the GH_PYTORCHBOT_TOKEN and UPDATEBOT_TOKEN personal access tokens reaching 90-plus repositories, and the aws-pytorch-uploader AWS keys. This was a textbook self-hosted-runner plus fork-PR poisoned pipeline execution (pwn request) that enabled release and S3 artifact poisoning of distributed PyTorch binaries.
- HIGHSC-CRED-HYGIENE-CICDSEC6-2023
Insufficient credential hygiene is the class in which long-lived, broadly-scoped secrets such as cloud access keys, registry tokens, and signing keys are stored as static CI variables, so any pipeline compromise (or any poisoned-pipeline, OIDC, or cache attack) yields durable, high-blast-radius credentials. The root mechanism is that static secrets do not expire, are often shared across projects, and grant standing access far beyond a single build, so theft of the CI platform's secret store or of a single workflow's environment converts a transient foothold into persistent access to production cloud and registry accounts. The CircleCI breach of January 2023 is the canonical illustration: malware on an engineer's laptop stole a valid 2FA-backed SSO session, letting attackers exfiltrate customers' environment variables, API tokens, and SSH keys, and CircleCI had to invalidate project tokens and instruct every customer to rotate all stored secrets, a platform-wide rotation that demonstrated the systemic cost of static-credential dependence. OWASP catalogues this as CICD-SEC-6 and recommends short-lived OIDC tokens and least privilege as the structural fix.
- HIGHCVE-2026-52801
Gogs has the ability to import local repositories via Mirror Settings