Lucene search

GoogleOSV:BIT-GITLAB-2024-4835

HistoryMay 29, 2024 - 7:19 a.m.

BIT-gitlab-2024-4835

2024-05-2907:19:26

Google

osv.dev

147

xss

vulnerability

gitlab

versions

15.11

16.10.6

16.11.3

17.0

attacker

craft

malicious

exfiltrate

sensitive

user information

8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

5.3 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

A XSS condition exists within GitLab in versions 15.11 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. By leveraging this condition, an attacker can craft a malicious page to exfiltrate sensitive user information.

CPENameOperatorVersion
gitlabge16.11.0
gitlablt17.0.1
gitlablt16.11.3
gitlablt16.10.6
gitlabge15.11.0
gitlabge17.0.0

Name	Operator	Version
gitlab	ge	16.11.0
gitlab	lt	17.0.1
gitlab	lt	16.11.3
gitlab	lt	16.10.6
gitlab	ge	15.11.0
gitlab	ge	17.0.0

References

gitlab.com/gitlab-org/gitlab/-/issues/461328

hackerone.com/reports/2497024

8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

5.3 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for OSV:BIT-GITLAB-2024-4835