CVE-2024-7102

CVE-2024-7102 is a vulnerability discovered in GitLab Community Edition (CE) and Enterprise Edition (EE), affecting all versions starting from 16.4 prior to 17.5.0. The issue enables an attacker to trigger a CI/CD pipeline as another user under certain circumstances. It carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) and is linked to CWE-250 (Execution with Unnecessary Privileges), with additional NVD-CWE-noinfo classification. The vulnerability was published on 2025-02-13.

The attack requires low privileges (PR:L), such as those of an authenticated user, and can be carried out over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Exploitation changes scope (S:C), allowing the attacker to trigger pipelines in the context of another user, which can result in high confidentiality (C:H) and integrity (I:H) impacts, though availability is unaffected (A:N).

Advisories recommend upgrading to GitLab 17.5.0 or later to mitigate the issue, as it resolves the vulnerability in the specified version range. Additional details are available in the GitLab issue tracker at https://gitlab.com/gitlab-org/gitlab/-/issues/474414 and the HackerOne disclosure report at https://hackerone.com/reports/2623063.