Lucene search

GitLabVULNRICHMENT:CVE-2024-4660

HistorySep 12, 2024 - 4:57 p.m.

CVE-2024-4660 Missing Authorization in GitLab

2024-09-1216:57:03

CWE-862

GitLab

github.com

cve-2024-4660

missing authorization

gitlab

source code

private project

group templates

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.7

Confidence

Low

EPSS

0.001

Percentile

47.2%

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

An issue has been discovered in GitLab EE affecting all versions starting from 11.2 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2. It was possible for a guest to read the source code of a private project by using group templates.

References

gitlab.com/gitlab-org/gitlab/-/issues/460892

hackerone.com/reports/2480126

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.7

Confidence

Low

EPSS

0.001

Percentile

47.2%

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Related for VULNRICHMENT:CVE-2024-4660