Home » Database

AVID-2026-R1616

Description

Improper Protection of Alternate Path in GitLab (CVE-2024-8311)

Details

An issue was discovered with pipeline execution policies in GitLab EE affecting all versions from 17.2 prior to 17.2.5, 17.3 prior to 17.3.2 which allows authenticated users to bypass variable overwrite protection via inclusion of a CI/CD template.

Reason for inclusion in AVID: CVE-2024-8311 describes a concrete security vulnerability in GitLab’s CI/CD pipeline execution policies that allows authenticated users to bypass variable overwrite protection via inclusion of a CI/CD template. GitLab is a widely used tool in software development and is commonly part of AI/ML workflows for building, packaging, deploying, and running AI systems. As such, this vulnerability sits in a software supply chain component (CI/CD pipelines) used to build and deploy AI software, representing a legitimate general-purpose AI supply chain risk. The issue is a clear security vulnerability (potentially enabling tampering with pipeline behavior) and the report provides explicit details and references (CVE entry, CWE-424, CVSS 3.1, and GitLab issue), meeting sufficent signal for classification.

References

Affected or Relevant Artifacts

  • Developer: GitLab
  • Deployer: GitLab
  • Artifact Details:
TypeName
SystemGitLab

Impact

AVID Taxonomy Categorization

  • Risk domains: Security
  • SEP subcategories: S0100: Software Vulnerability
  • Lifecycle stages: L06: Deployment

CVSS

Version3.1
Vector StringCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Base Score6.5
Base Severity🟠 Medium
Attack VectorNETWORK
Attack Complexity🟢 Low
Privileges Required🟢 Low
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactNONE
Integrity Impact🔴 High
Availability ImpactNONE

CWE

IDDescription
CWE-424CWE-424: Improper Protection of Alternate Path

Other information

  • Report Type: Advisory
  • Credits:
  • Date Reported: 2024-09-12
  • Version: 0.3.3
  • AVID Entry