CVE-2024-7110
Published: 22 August 2024
Summary
CVE-2024-7110 is a medium-severity Command Injection (CWE-77) vulnerability in Gitlab Gitlab. Its CVSS base score is 6.4 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Poisoned Pipeline Execution (T1677); ranked at the 27.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the LLM/Generative AI Risks risk domain; MITRE ATLAS techniques in scope: Direct (AML.T0051.000).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-48089
Vulnerability details
An issue was discovered in GitLab EE affecting all versions starting 17.0 to 17.1.6, 17.2 prior to 17.2.4, and 17.3 prior to 17.3.1 allows an attacker to execute arbitrary command in a victim's pipeline through prompt injection.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- GitLab EE's 'Resolve Vulnerability' feature integrates an LLM (Anthropic) to generate code patches from SAST reports, making it an enterprise AI assistant vulnerable to prompt injection attacks via crafted reports.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2024-7110 enables prompt injection in GitLab's 'Resolve Vulnerability' feature via crafted SAST reports, causing the LLM to generate malicious CI pipeline code that executes arbitrary commands in the victim's context, directly facilitating Poisoned Pipeline Execution (T1677).
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.