平台
gitlab
组件
gitlab
修复版本
17.2.9
17.3.5
17.4.2
CVE-2024-9164 is a critical Remote Code Execution (RCE) vulnerability identified in GitLab Enterprise Edition (EE). This flaw allows unauthorized users to trigger and execute pipelines on arbitrary branches within the GitLab instance. The vulnerability affects versions starting from 12.5 prior to 17.2.9, versions starting from 17.3 prior to 17.3.5, and versions starting from 17.4 prior to 17.4.2. A fix is available in version 17.4.2.
The impact of CVE-2024-9164 is severe. Successful exploitation allows an attacker to execute arbitrary code within the context of the GitLab runner, effectively granting them control over the pipeline execution environment. This can lead to complete compromise of the GitLab instance, including data exfiltration, modification of code repositories, and potentially lateral movement to other systems within the network. An attacker could inject malicious code into a pipeline, which would then be executed with elevated privileges, enabling them to perform actions such as deploying malicious artifacts, accessing sensitive data, or establishing a persistent backdoor. The ability to run pipelines on arbitrary branches bypasses normal access controls, significantly expanding the attack surface.
CVE-2024-9164 was publicly disclosed on 2024-10-11. The vulnerability is considered high probability due to its RCE nature and the potential for widespread impact. No public proof-of-concept (PoC) code has been released as of this writing, but the ease of exploitation makes it likely that one will emerge. It has been added to the CISA KEV catalog, indicating a significant risk to US critical infrastructure. Active exploitation is not yet confirmed, but the vulnerability's severity warrants immediate attention.
Organizations heavily reliant on GitLab CI/CD pipelines, particularly those with complex branching strategies or shared environments, are at significant risk. Teams using older GitLab EE versions (12.5 – 17.4.1) are especially vulnerable. Shared hosting environments utilizing GitLab EE are also at increased risk due to the potential for cross-tenant exploitation.
• ruby: Monitor GitLab logs for unusual pipeline execution patterns, especially those involving unexpected branches. Look for errors related to pipeline configuration or execution.
# Example: Check for pipeline runs on protected branches
# (Requires access to GitLab logs and potentially custom scripting)• generic web: Examine GitLab instance access logs for attempts to trigger pipelines from unauthorized IP addresses or user accounts.
# Example: grep for pipeline creation attempts from suspicious IPs
grep 'POST /api/v4/projects/[PROJECT_ID]/pipeline' /var/log/gitlab/production.log | grep [SUSPICIOUS_IP]disclosure
kev
漏洞利用状态
EPSS
0.22% (45% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-9164 is to upgrade GitLab EE to version 17.4.2 or later. If immediate upgrading is not possible, consider restricting pipeline execution to trusted branches and users. Implement strict branch protection rules to prevent unauthorized users from creating or modifying pipelines. Review and audit existing pipelines for any suspicious activity. While a WAF cannot directly prevent this RCE, it can help detect and block malicious payloads within pipeline configurations. Monitor GitLab logs for unusual pipeline activity, particularly those originating from unexpected branches or users.
Actualice GitLab a la versión 17.2.9, 17.3.5 o 17.4.2, o a una versión posterior. Esto corrige la falta de autenticación para funciones críticas que permiten ejecutar pipelines en ramas arbitrarias. La actualización es esencial para proteger su instancia de GitLab.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-9164 is a critical Remote Code Execution vulnerability in GitLab Enterprise Edition allowing attackers to run pipelines on arbitrary branches, potentially gaining full control of the system.
You are affected if you are running GitLab EE versions 12.5–17.4.2. Upgrade to 17.4.2 or later to mitigate the risk.
Upgrade GitLab EE to version 17.4.2 or later. As a temporary workaround, restrict pipeline execution to trusted branches and users.
Active exploitation has not been confirmed, but the vulnerability's severity and ease of exploitation suggest it is likely to be targeted.
Refer to the official GitLab security advisory: https://gitlab.com/security/advisories/CVE-2024-9164