{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2024-109.pdf"
    },
    "title": "Critical vulnerabilities in Gitlab",
    "serial_number": "2024-109",
    "publish_date": "11-10-2024 14:26:55",
    "description": "On October 9, 2024, GitLab released an advisory addressing several critical vulnerabilities in GitLab EE/CE affecting versions from 8.16 to 17.4.1.<br>\nIt is recommended updating affected assets as soon as possible.<br>\n",
    "url_title": "2024-109",
    "content_markdown": "---    \ntitle: 'Critical vulnerabilities in\u00a0Gitlab'\nnumber: '2024-109'\nversion: '1.0'\noriginal_date: '2024-10-09'\ndate: '2024-10-11'\n---\n\n_History:_\n\n* _11/10/2024 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn October 9, 2024, GitLab released an advisory addressing several critical vulnerabilities in GitLab EE/CE affecting versions from 8.16 to 17.4.1.\n\nIt is recommended updating affected assets as soon as possible.\n\n# Technical Details\n\nThe vulnerability **CVE-2024-9164**, with a CVSS score of 9.6, allows unauthorised users to execute pipelines on branches without appropriate permission, leading to unauthorised code execution.\n\nThe vulnerability **CVE-2024-8970**, with a CVSS score of 8.2, allows an attacker to trigger a pipeline as another user under certain conditions, leading to potential unauthorised actions.\n\nThe vulnerability **CVE-2024-8977**, with a CVSS score of 8.2, is a Server-Side Request Forgery (SSRF) vulnerability in the Analytics Dashboard, allowing attackers to make unauthorised network requests.\n\n# Affected Products\n\nGitLab CE/EE versions from 8.16 up to 17.4.1.\n\n# Recommendations\n\nIt is highly recommended updating affected assets to the latest version as soon as possible. \n\n# References\n\n[1] https://about.gitlab.com/releases/2024/10/09/patch-release-gitlab-17-4-2-released/#run-pipelines-on-arbitrary-branches\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>11/10/2024 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On October 9, 2024, GitLab released an advisory addressing several critical vulnerabilities in GitLab EE/CE affecting versions from 8.16 to 17.4.1.</p><p>It is recommended updating affected assets as soon as possible.</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability <strong>CVE-2024-9164</strong>, with a CVSS score of 9.6, allows unauthorised users to execute pipelines on branches without appropriate permission, leading to unauthorised code execution.</p><p>The vulnerability <strong>CVE-2024-8970</strong>, with a CVSS score of 8.2, allows an attacker to trigger a pipeline as another user under certain conditions, leading to potential unauthorised actions.</p><p>The vulnerability <strong>CVE-2024-8977</strong>, with a CVSS score of 8.2, is a Server-Side Request Forgery (SSRF) vulnerability in the Analytics Dashboard, allowing attackers to make unauthorised network requests.</p><h2 id=\"affected-products\">Affected Products</h2><p>GitLab CE/EE versions from 8.16 up to 17.4.1.</p><h2 id=\"recommendations\">Recommendations</h2><p>It is highly recommended updating affected assets to the latest version as soon as possible. </p><h2 id=\"references\">References</h2><p>[1] https://about.gitlab.com/releases/2024/10/09/patch-release-gitlab-17-4-2-released/#run-pipelines-on-arbitrary-branches</p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}