CVE-2024-5257 Improper Access Control in GitLab

2024-07-1106:57:09

CWE-284

GitLab

www.cve.org

gitlab

improper access control

cve-2024-5257

CVSS3

4.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

EPSS

Percentile

14.3%

JSON

An issue was discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.0.4 and from 17.1 prior to 17.1.2 where a Developer user with admin_compliance_framework custom role may have been able to modify the URL for a group namespace.

CNA Affected

[
  {
    "cpes": [
      "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
    ],
    "defaultStatus": "unaffected",
    "product": "GitLab",
    "repo": "git://[email protected]:gitlab-org/gitlab.git",
    "vendor": "GitLab",
    "versions": [
      {
        "lessThan": "17.0.4",
        "status": "affected",
        "version": "17.0",
        "versionType": "semver"
      },
      {
        "lessThan": "17.1.2",
        "status": "affected",
        "version": "17.1",
        "versionType": "semver"
      }
    ]
  }
]