CVE-2024-4660

An issue has been discovered in GitLab EE affecting all versions starting from 11.2 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2. It was possible for a guest to read the source code of a private project by using group templates.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://gitlab.com/gitlab-org/gitlab/-/issues/460892	Broken Link
https://hackerone.com/reports/2480126	Permissions Required
https://about.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*

History

21 Nov 2024, 09:43

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~7.5~~	v2 : unknown v3 : 6.5
References		() https://about.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/ -

14 Sep 2024, 14:57

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~6.5~~	v2 : unknown v3 : 7.5
First Time		Gitlab gitlab Gitlab
CWE		NVD-CWE-noinfo
References	~~() https://gitlab.com/gitlab-org/gitlab/-/issues/460892 -~~	() https://gitlab.com/gitlab-org/gitlab/-/issues/460892 - Broken Link
References	~~() https://hackerone.com/reports/2480126 -~~	() https://hackerone.com/reports/2480126 - Permissions Required
CPE		cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
Summary		(es) Se ha descubierto un problema en GitLab EE que afecta a todas las versiones a partir de la 11.2 hasta la 17.1.7, a todas las versiones a partir de la 17.2 hasta la 17.2.5 y a todas las versiones a partir de la 17.3 hasta la 17.3.2. Un invitado podía leer el código fuente de un proyecto privado mediante plantillas de grupo.

12 Sep 2024, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-09-12 17:15

Updated : 2024-11-21 09:43

NVD link : CVE-2024-4660

Mitre link : CVE-2024-4660

CVE.ORG link : CVE-2024-4660

JSON object : View

Products Affected

gitlab

gitlab

CWE

CWE-862

Missing Authorization

NVD-CWE-noinfo

{"id": "CVE-2024-4660", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve@gitlab.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-09-12T17:15:04.937", "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/460892", "tags": ["Broken Link"], "source": "cve@gitlab.com"}, {"url": "https://hackerone.com/reports/2480126", "tags": ["Permissions Required"], "source": "cve@gitlab.com"}, {"url": "https://about.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "cve@gitlab.com", "description": [{"lang": "en", "value": "CWE-862"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "An issue has been discovered in GitLab EE affecting all versions starting from 11.2 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2. It was possible for a guest to read the source code of a private project by using group templates."}, {"lang": "es", "value": "Se ha descubierto un problema en GitLab EE que afecta a todas las versiones a partir de la 11.2 hasta la 17.1.7, a todas las versiones a partir de la 17.2 hasta la 17.2.5 y a todas las versiones a partir de la 17.3 hasta la 17.3.2. Un invitado pod\u00eda leer el c\u00f3digo fuente de un proyecto privado mediante plantillas de grupo."}], "lastModified": "2024-11-21T09:43:19.410", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "4F6975C5-F519-4A85-8E4B-1C8067F7B0CB", "versionEndExcluding": "17.1.7", "versionStartIncluding": "11.2.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "1F428DA1-FB1C-4B14-A1E1-65177E7F4B10", "versionEndExcluding": "17.2.5", "versionStartIncluding": "17.2.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "145E52CC-F503-446E-A760-1C01753DA938", "versionEndExcluding": "17.3.2", "versionStartIncluding": "17.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@gitlab.com"}