CVE-2024-8641: 
GitLab vulnerability analysis and mitigation

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. The vulnerability (CVE-2024-8641) involves improper session handling where an attacker with access to a victim's CI_JOB_TOKEN could potentially obtain the victim's GitLab session token (GitLab Release, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) by NVD with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. However, GitLab Inc. assessed it with a lower CVSS score of 6.7 (MEDIUM) and vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L. The vulnerability is related to privilege context switching errors, as indicated by its CWE-270 classification (NVD).

The vulnerability could allow an attacker to obtain unauthorized access to a victim's GitLab session token, potentially leading to account compromise and unauthorized access to sensitive areas within the GitLab environment (Cyble).

GitLab has released patches to address this vulnerability in versions 17.3.2, 17.2.5, and 17.1.7. Organizations are strongly advised to upgrade to these latest versions immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action (GitLab Release).