← back
CVE-2024-6678

Authentication Bypass by Spoofing in GitLab

CVSS 9.9 CRITICALEPSS 2.0%CWE-290
An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected products
GitLab · GitLab
public PoCs found2
githubgithub.com/FaLLenSKiLL1/CVE-2024-66784cve_referencehackerone.com/reports/2595495unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://about.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/https://gitlab.com/gitlab-org/gitlab/-/issues/471923https://hackerone.com/reports/2595495