CVE-2024-9164 Overview
CVE-2024-9164 is a high-severity authorization flaw in GitLab Enterprise Edition (EE). The vulnerability allows authenticated users to run continuous integration and continuous deployment (CI/CD) pipelines on arbitrary branches without proper access controls. The flaw affects all GitLab EE versions starting from 12.5 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. The issue is classified under [CWE-306] Missing Authentication for Critical Function. Successful exploitation enables tampering with protected branches, injection of malicious code into build pipelines, and compromise of the software supply chain.
Critical Impact
Authenticated attackers can execute CI/CD pipelines against arbitrary branches, leading to code injection, secret exposure, and supply chain compromise across protected repositories.
Affected Products
- GitLab Enterprise Edition versions 12.5 through 17.2.8
- GitLab Enterprise Edition versions 17.3 through 17.3.4
- GitLab Enterprise Edition versions 17.4 through 17.4.1
Discovery Timeline
- 2024-10-11 - CVE-2024-9164 published to NVD
- 2024-12-13 - Last updated in NVD database
Technical Details for CVE-2024-9164
Vulnerability Analysis
The vulnerability resides in GitLab EE's pipeline execution authorization logic. The platform fails to properly enforce branch-level permissions when initiating pipeline runs. Attackers with low-privilege accounts can trigger pipelines on branches they should not be authorized to execute against. This includes protected branches that typically house production code and sensitive deployment workflows.
The weakness maps to [CWE-306] Missing Authentication for Critical Function. GitLab pipelines often hold elevated permissions and access to CI/CD variables, deployment keys, and registry credentials. Running pipelines on arbitrary branches exposes these secrets and creates execution contexts under attacker-controlled configurations.
Root Cause
The root cause is incomplete authorization validation in the pipeline trigger workflow. GitLab does not verify that the requesting user holds developer or higher access on the target branch before queuing the pipeline. Branch protection rules and project membership boundaries are bypassed during pipeline scheduling, allowing unauthorized job execution.
Attack Vector
An authenticated user with minimal access to a GitLab project sends a pipeline creation request targeting an arbitrary branch. Because the platform skips the branch authorization check, the pipeline executes using the .gitlab-ci.yml configuration present on that branch. The attacker can extract CI/CD secrets, manipulate build artifacts, or deploy unauthorized code through automated workflows. Refer to GitLab Issue #493946 and HackerOne Report #2711204 for additional technical context.
Detection Methods for CVE-2024-9164
Indicators of Compromise
- Pipeline executions initiated by users without explicit developer or maintainer roles on the target branch
- Unexpected pipeline runs against protected branches outside normal merge request workflows
- CI/CD job logs showing access to secrets or deployment credentials from low-privilege user contexts
- Newly created or modified .gitlab-ci.yml files on feature branches followed by pipeline runs on protected branches
Detection Strategies
- Audit the GitLab ci_pipelines table and correlate pipeline user_id with project membership and branch protection rules
- Review GitLab audit events for pipeline_created actions targeting protected branches by non-privileged users
- Monitor GitLab API access logs for POST /projects/:id/pipeline requests with unusual ref parameters
- Compare pipeline trigger sources against expected merge request and scheduled pipeline patterns
Monitoring Recommendations
- Forward GitLab audit logs and CI/CD job events to a centralized logging platform for retention and correlation
- Configure alerts for pipeline executions on protected branches initiated outside merge request contexts
- Track CI/CD variable access patterns and flag retrievals from pipelines triggered by low-privilege users
- Establish a baseline of normal pipeline activity per project and alert on deviations
How to Mitigate CVE-2024-9164
Immediate Actions Required
- Upgrade GitLab EE to version 17.2.9, 17.3.5, 17.4.2, or later as appropriate for your deployment
- Rotate all CI/CD variables, deployment tokens, and registry credentials that may have been exposed
- Audit recent pipeline executions for unauthorized runs against protected branches
- Review project membership and remove unnecessary low-privilege accounts from sensitive repositories
Patch Information
GitLab released fixed versions 17.2.9, 17.3.5, and 17.4.2 that enforce branch-level authorization during pipeline creation. Self-managed GitLab administrators should apply the upgrade immediately. GitLab.com SaaS customers received the patch automatically. Consult the GitLab Issue #493946 tracker for upgrade guidance.
Workarounds
- Restrict project membership to trusted users until the upgrade is completed
- Disable CI/CD on critical projects temporarily if patching cannot be performed immediately
- Remove sensitive CI/CD variables from project settings and rely on external secret managers with stricter access controls
- Enforce protected branch settings and review pipeline trigger permissions for all production repositories
# Verify GitLab version and upgrade on self-managed instances
sudo gitlab-rake gitlab:env:info | grep "GitLab information"
# Debian/Ubuntu upgrade example
sudo apt-get update
sudo apt-get install gitlab-ee=17.4.2-ee.0
# Restart GitLab services after upgrade
sudo gitlab-ctl reconfigure
sudo gitlab-ctl restart
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
