CVE-2024-12570

Published: Dec 12, 2024Modified: Jul 11, 2025

6.7

Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L

Exploitability: 1.2 / Impact: 5.5

Source: cve@gitlab.com (Secondary)

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 prior to 17.4.6, from 17.5 prior to 17.5.4, and from 17.6 prior to 17.6.2. It may have been possible for an attacker with a victim's `CI_JOB_TOKEN` to obtain a GitLab session token belonging to the victim.

Affected (6)

Products: Gitlab: Gitlab

Gitlab

1 product

Gitlab

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Gitlab Gitlab	From 13.7.0 to 17.4.6
Gitlab Gitlab	From 17.5.0 to 17.5.4
Gitlab Gitlab	From 17.6.0 to 17.6.2
Gitlab Gitlab	From 13.7.0 to 17.4.6
Gitlab Gitlab	From 17.5.0 to 17.5.4
Gitlab Gitlab	From 17.6.0 to 17.6.2

Related CWEs

CWE-270

Privilege Context Switching Error

The product does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control.

References (2)

https://gitlab.com/gitlab-org/gitlab/-/issues/494694

Source: cve@gitlab.com

ExploitIssue TrackingVendor Advisory

https://hackerone.com/reports/2724948

Source: cve@gitlab.com

Permissions Required

Timeline

No history available yet.