CVE-2024-7102
Published: 13 February 2025
Summary
CVE-2024-7102 is a critical-severity Execution with Unnecessary Privileges (CWE-250) vulnerability in Gitlab Gitlab. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Addresses CWE-250 by enforcing least privilege to prevent low-privileged attackers from triggering pipelines with another user's elevated context and privileges.
Enforces approved access control policies to block unauthorized logical access, directly mitigating the failure allowing cross-user pipeline triggering.
Mandates timely flaw remediation, such as patching GitLab to 17.5.0 or later, to eliminate the specific vulnerability enabling the attack.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing GitLab web app directly enables an authenticated attacker to execute CI/CD pipelines (command/script execution) under another user's context.
NVD Description
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.5.0 which allows an attacker to trigger a pipeline as another user under certain circumstances.
Deeper analysisAI
CVE-2024-7102 is a vulnerability discovered in GitLab Community Edition (CE) and Enterprise Edition (EE), affecting all versions starting from 16.4 prior to 17.5.0. The issue enables an attacker to trigger a CI/CD pipeline as another user under certain circumstances. It carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) and is linked to CWE-250 (Execution with Unnecessary Privileges), with additional NVD-CWE-noinfo classification. The vulnerability was published on 2025-02-13.
The attack requires low privileges (PR:L), such as those of an authenticated user, and can be carried out over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Exploitation changes scope (S:C), allowing the attacker to trigger pipelines in the context of another user, which can result in high confidentiality (C:H) and integrity (I:H) impacts, though availability is unaffected (A:N).
Advisories recommend upgrading to GitLab 17.5.0 or later to mitigate the issue, as it resolves the vulnerability in the specified version range. Additional details are available in the GitLab issue tracker at https://gitlab.com/gitlab-org/gitlab/-/issues/474414 and the HackerOne disclosure report at https://hackerone.com/reports/2623063.
Details
- CWE(s)