CVE-2024-1066

An issue has been discovered in GitLab EE affecting all versions from 13.3.0 prior to 16.6.7, 16.7 prior to 16.7.5, and 16.8 prior to 16.8.2 which allows an attacker to do a resource exhaustion using GraphQL `vulnerabilitiesCountByDay`

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://gitlab.com/gitlab-org/gitlab/-/issues/420341	Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gitlab:gitlab::::::::
	cpe:2.3:a:gitlab:gitlab::::::::
	cpe:2.3:a:gitlab:gitlab::::::::

History

08 Oct 2024, 19:52

Type	Values Removed	Values Added
References	~~() https://gitlab.com/gitlab-org/gitlab/-/issues/420341 - Issue Tracking, Permissions Required~~	() https://gitlab.com/gitlab-org/gitlab/-/issues/420341 - Issue Tracking, Vendor Advisory
CWE	~~CWE-400~~

03 Oct 2024, 07:15

Type	Values Removed	Values Added
CWE		CWE-770

04 Mar 2024, 21:00

Type	Values Removed	Values Added
First Time		Gitlab Gitlab gitlab
References	~~() https://gitlab.com/gitlab-org/gitlab/-/issues/420341 -~~	() https://gitlab.com/gitlab-org/gitlab/-/issues/420341 - Issue Tracking, Permissions Required
CPE		cpe:2.3:a:gitlab:gitlab::::::::

07 Feb 2024, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-07 22:15

Updated : 2024-10-08 19:52

NVD link : CVE-2024-1066

Mitre link : CVE-2024-1066

CVE.ORG link : CVE-2024-1066

JSON object : View

Products Affected

gitlab

gitlab

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2024-1066", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "cve@gitlab.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2024-02-07T22:15:09.797", "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/420341", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "cve@gitlab.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-770"}]}, {"type": "Secondary", "source": "cve@gitlab.com", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "An issue has been discovered in GitLab EE affecting all versions from 13.3.0 prior to 16.6.7, 16.7 prior to 16.7.5, and 16.8 prior to 16.8.2 which allows an attacker to do a resource exhaustion using GraphQL `vulnerabilitiesCountByDay`"}, {"lang": "es", "value": "Se ha descubierto un problema en GitLab EE que afecta a todas las versiones desde 13.3.0 anterior a 16.6.7, 16.7 anterior a 16.7.5 y 16.8 anterior a 16.8.2, lo que permite a un atacante agotar los recursos utilizando las `vulnerabilidadesCountByDay` de GraphQL."}], "lastModified": "2024-10-08T19:52:24.017", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9050BD58-8285-4043-A5CE-D176B837C006", "versionEndExcluding": "16.6.7", "versionStartIncluding": "13.3.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6EBC5A56-73F8-43A7-8EC8-B76904367719", "versionEndExcluding": "16.7.5", "versionStartIncluding": "16.7.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "49D0039A-BE00-4F9D-8385-2B81C5AB5CD6", "versionEndExcluding": "16.8.2", "versionStartIncluding": "16.8.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@gitlab.com"}