SC-GITLAB-PIPELINE-2024

Summary

CVE-2024-6385 was a critical improper access control flaw in GitLab Community and Enterprise Edition disclosed on July 11, 2024, affecting versions from 15.8 before 16.11.6, 17.0 before 17.0.4, and 17.1 before 17.1.2, that under certain circumstances let an attacker trigger and run a CI/CD pipeline as another, arbitrary user. The bug stemmed from the pipeline-triggering logic failing to correctly validate the identity of the user on whose behalf a pipeline was started, so jobs executed with the victim's permissions, CI_JOB_TOKEN, and access to their CI/CD secrets such as cloud tokens, Kubernetes service accounts, and attached identities, enabling privilege escalation across the platform. It was effectively a re-fix of CVE-2024-5655 (also critical, disclosed late June 2024), whose root cause was that merge requests automatically retargeted to a new branch upon merge would inadvertently trigger pipeline execution as the original author without manual initiation, with GraphQL CI_JOB_TOKEN authentication being disabled by default as part of the mitigation. Both flaws were rated critical by GitLab and prompted urgent patch guidance.

How to avoid it in your code

• Patch GitLab CE/EE to 16.11.6, 17.0.4, or 17.1.2 (or later) immediately.
• Restrict who can configure pipeline triggers and merge-request auto-retargeting.
• Scope CI_JOB_TOKEN narrowly and rotate CI/CD secrets and cloud tokens after exposure.
• Apply least privilege to CI service accounts, runners, and pipeline credentials.
• Monitor pipeline runs and job logs for execution under unexpected user identities.

References

• https://about.gitlab.com/releases/2024/07/10/patch-release-gitlab-17-1-2-released/
• https://nvd.nist.gov/vuln/detail/CVE-2024-6385
• https://www.bleepingcomputer.com/news/security/gitlab-warns-of-critical-arbitrary-branch-pipeline-execution-flaw/