CVE-2024-8311: 
GitLab vulnerability analysis and mitigation

A vulnerability (CVE-2024-8311) was discovered in GitLab Enterprise Edition (EE) affecting versions from 17.2 prior to 17.2.5 and 17.3 prior to 17.3.2. The vulnerability allows authenticated users to bypass variable overwrite protection through the inclusion of a CI/CD template (GitLab Release).

The vulnerability is related to pipeline execution policies in GitLab EE, where variables from settings are not properly overwritten by Pipeline Execution Policy (PEP) when a template is included. This security flaw has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N, indicating network accessibility, low attack complexity, and required low privileges (NVD).

The vulnerability enables authenticated users to bypass variable overwrite protection mechanisms in GitLab's CI/CD pipeline configuration. This could potentially lead to unauthorized modification of pipeline variables, compromising the intended security controls set by pipeline execution policies (Cyble).

GitLab has addressed this vulnerability in versions 17.2.5 and 17.3.2. Organizations are strongly advised to upgrade to these patched versions immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take any action (GitLab Release).

The vulnerability was discovered internally by GitLab team member Andy Schoenen, demonstrating GitLab's commitment to internal security research and responsible disclosure (GitLab Release).