CVE-2024-12570

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 prior to 17.4.6, from 17.5 prior to 17.5.4, and from 17.6 prior to 17.6.2. It may have been possible for an attacker with a victim's CI_JOB_TOKEN to obtain a GitLab session token belonging to the victim.

Database specific

{
    "cna_assigner": "GitLab",
    "cwe_ids": [
        "CWE-270"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/12xxx/CVE-2024-12570.json"
}

References

Affected packages

Git / gitlab.com/gitlab-org/gitlab

Affected ranges

Type

GIT

Repo

https://gitlab.com/gitlab-org/gitlab

Events

Introduced

036576a25d67513637c1e2cba5859af47695188e

Fixed

25a55583bbcf724ad625848d48a529467e7c7097

Database specific

{
    "versions": [
        {
            "introduced": "13.7"
        },
        {
            "fixed": "17.4.6"
        }
    ]
}

Type

GIT

Repo

https://gitlab.com/gitlab-org/gitlab

Events

Introduced

173959793c1163052d16c2158773ea9504aa712e

Fixed

0397324ed14bb7f0ede422841d713fd22349302f

Database specific

{
    "versions": [
        {
            "introduced": "17.5"
        },
        {
            "fixed": "17.5.4"
        }
    ]
}

Type

GIT

Repo

https://gitlab.com/gitlab-org/gitlab

Events

Introduced

a8830741d3c4ad7f6a70eed38ee7af31f298d093

Fixed

6ff444aad3a327c384b0859be326d042dde090ee

Database specific

{
    "versions": [
        {
            "introduced": "17.6"
        },
        {
            "fixed": "17.6.2"
        }
    ]
}

Affected versions

v17.*

v17.5.0-ee

v17.5.1-ee

v17.5.2-ee

v17.5.3-ee

v17.6.0-ee

v17.6.1-ee

v17.6.2-rc30-ee

v17.6.2-rc31-ee