CVE-2024-2177 Improper Restriction of Rendered UI Layers or Frames in GitLab

2024-07-0913:30:57

CWE-1021

GitLab

www.cve.org

cve-2024-2177

gitlab

cross window forgery

CVSS3

6.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

EPSS

Percentile

9.2%

JSON

A Cross Window Forgery vulnerability exists within GitLab CE/EE affecting all versions from 16.3 prior to 16.11.5, 17.0 prior to 17.0.3, and 17.1 prior to 17.1.1. This condition allows for an attacker to abuse the OAuth authentication flow via a crafted payload.

CNA Affected

[
  {
    "cpes": [
      "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
    ],
    "defaultStatus": "unaffected",
    "product": "GitLab",
    "repo": "git://[email protected]:gitlab-org/gitlab.git",
    "vendor": "GitLab",
    "versions": [
      {
        "lessThan": "16.11.5",
        "status": "affected",
        "version": "16.3",
        "versionType": "semver"
      },
      {
        "lessThan": "17.0.3",
        "status": "affected",
        "version": "17.0",
        "versionType": "semver"
      },
      {
        "lessThan": "17.1.1",
        "status": "affected",
        "version": "17.1",
        "versionType": "semver"
      }
    ]
  }
]