We use cookies to improve your experience on our site.
AVID-2026-R1599
Description
Improper Neutralization of Special Elements used in a Command (‘Command Injection’) in GitLab (CVE-2024-7110)
Details
An issue was discovered in GitLab EE affecting all versions starting 17.0 to 17.1.6, 17.2 prior to 17.2.4, and 17.3 prior to 17.3.1 allows an attacker to execute arbitrary command in a victim’s pipeline through prompt injection.
Reason for inclusion in AVID: CVE-2024-7110 is a command-injection vulnerability in GitLab that enables arbitrary command execution in a victim’s CI pipeline. GitLab is a widely used tool in ML/AI development and deployment pipelines, so this directly affects the software supply chain for AI systems. The vulnerability is clearly security-related and the report provides explicit details (scope, impact, references), supporting its relevance to AI supply chains. Therefore it meets all four criteria for AVID curation.
References
Affected or Relevant Artifacts
- Developer: GitLab
- Deployer: GitLab
- Artifact Details:
| Type | Name |
|---|---|
| System | GitLab |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
| Base Score | 6.4 |
| Base Severity | 🟠 Medium |
| Attack Vector | NETWORK |
| Attack Complexity | 🔴 High |
| Privileges Required | 🟢 Low |
| User Interaction | REQUIRED |
| Scope | UNCHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | 🔴 High |
| Availability Impact | NONE |
CWE
| ID | Description |
|---|---|
| CWE-77 | CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’) |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2024-08-22
- Version: 0.3.3
- AVID Entry