CVE-2024-7110: 
GitLab vulnerability analysis and mitigation

A prompt injection vulnerability was discovered in GitLab Enterprise Edition (EE) affecting versions from 17.0 to 17.1.6, 17.2 prior to 17.2.4, and 17.3 prior to 17.3.1. The vulnerability allows attackers to execute arbitrary commands in a victim's pipeline through prompt injection in the 'Resolve Vulnerability' feature. This security issue was internally discovered by GitLab team member Dennis Appelt and has been assigned CVE-2024-7110 (GitLab Release).

The vulnerability is classified as medium severity with a CVSS v3.1 base score of 6.4 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N). The issue stems from the 'Resolve Vulnerability' feature that uses an LLM to generate code patches from vulnerability findings. The vulnerability allows attackers to inject malicious instructions into the LLM prompt through crafted SAST reports, which can then be executed in the context of the victim's pipeline when they use the 'Resolve Vulnerability' feature (GitLab Issue).

When successfully exploited, this vulnerability enables attackers to execute arbitrary commands within the victim's pipeline context. This could potentially lead to unauthorized access to sensitive information and compromise of pipeline integrity. The vulnerability affects both confidentiality and integrity aspects of the system, though availability remains unaffected (NVD).

GitLab has addressed this vulnerability in versions 17.1.6, 17.2.4, and 17.3.1. Users are strongly recommended to upgrade to these patched versions immediately. The fix has already been implemented on GitLab.com (GitLab Release).