CVE-2024-9773
Published: 27 March 2025
Description
An adversary may rely upon a user copying and pasting code in order to gain execution.
Security Summary
CVE-2024-9773 is an input validation issue in the Harbor registry integration within GitLab Enterprise Edition (EE). It affects all versions starting from 14.9 before 17.8.6, all versions starting from 17.9 before 17.8.3, and all versions starting from 17.10 before 17.10.1. Classified as CWE-77 (command injection), the vulnerability carries a CVSS v3.1 base score of 3.7 (AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N) and was published on 2025-03-27.
A maintainer with sufficient privileges could exploit this issue to inject malicious code into CLI commands displayed in the GitLab UI. Exploitation requires local access, high attack complexity, and user interaction, such as another user copying and executing the tampered CLI commands on their system. Successful exploitation could result in low-impact confidentiality and integrity violations.
Mitigation details are available in the referenced advisories, including the GitLab issue at https://gitlab.com/gitlab-org/gitlab/-/issues/498557 and the HackerOne report at https://hackerone.com/reports/2671808, which align with upgrading to the specified patched versions beyond the affected ranges.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The command injection vulnerability in displayed CLI commands directly enables attackers to tamper with commands that users copy and paste for execution, mapping to T1204.004 Malicious Copy and Paste.