CVE-2024-5435

An issue has been discovered discovered in GitLab EE/CE affecting all versions starting from 15.10 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2 will disclose user password from repository mirror configuration.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://gitlab.com/gitlab-org/gitlab/-/issues/464044	Broken Link
https://hackerone.com/reports/2520722	Permissions Required

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*

History

14 Sep 2024, 15:05

Type	Values Removed	Values Added
Summary		(es) Se ha descubierto un problema en GitLab EE/CE que afecta a todas las versiones desde la 15.10 hasta la 17.1.7, todas las versiones desde la 17.2 hasta la 17.2.5 y todas las versiones desde la 17.3 hasta la 17.3.2, que revelarán la contraseña del usuario desde la configuración del espejo del repositorio.
References	~~() https://gitlab.com/gitlab-org/gitlab/-/issues/464044 -~~	() https://gitlab.com/gitlab-org/gitlab/-/issues/464044 - Broken Link
References	~~() https://hackerone.com/reports/2520722 -~~	() https://hackerone.com/reports/2520722 - Permissions Required
CPE		cpe:2.3:a:gitlab:gitlab:::::enterprise:::* cpe:2.3:a:gitlab:gitlab:::::community:::*
First Time		Gitlab gitlab Gitlab
CVSS	v2 : ~~unknown~~ v3 : ~~4.5~~	v2 : unknown v3 : 6.5

12 Sep 2024, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-09-12 17:15

Updated : 2024-09-14 15:05

NVD link : CVE-2024-5435

Mitre link : CVE-2024-5435

CVE.ORG link : CVE-2024-5435

JSON object : View

Products Affected

gitlab

gitlab

CWE

CWE-209

Generation of Error Message Containing Sensitive Information

{"id": "CVE-2024-5435", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "cve@gitlab.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 0.9}]}, "published": "2024-09-12T17:15:05.147", "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/464044", "tags": ["Broken Link"], "source": "cve@gitlab.com"}, {"url": "https://hackerone.com/reports/2520722", "tags": ["Permissions Required"], "source": "cve@gitlab.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-209"}]}, {"type": "Secondary", "source": "cve@gitlab.com", "description": [{"lang": "en", "value": "CWE-209"}]}], "descriptions": [{"lang": "en", "value": "An issue has been discovered discovered in GitLab EE/CE affecting all versions starting from 15.10 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2 will disclose user password from repository mirror configuration."}, {"lang": "es", "value": "Se ha descubierto un problema en GitLab EE/CE que afecta a todas las versiones desde la 15.10 hasta la 17.1.7, todas las versiones desde la 17.2 hasta la 17.2.5 y todas las versiones desde la 17.3 hasta la 17.3.2, que revelar\u00e1n la contrase\u00f1a del usuario desde la configuraci\u00f3n del espejo del repositorio."}], "lastModified": "2024-09-14T15:05:50.207", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "ABF7770C-12E5-496B-8D5F-F6E55E610AA8", "versionEndExcluding": "17.1.7", "versionStartIncluding": "15.10.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "A9EB56F1-6DB6-45C7-BD1B-B7B28A15B291", "versionEndExcluding": "17.1.7", "versionStartIncluding": "15.10.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "9DE9BFF3-C056-4146-A762-E34D60E10EDE", "versionEndExcluding": "17.2.5", "versionStartIncluding": "17.2.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "1F428DA1-FB1C-4B14-A1E1-65177E7F4B10", "versionEndExcluding": "17.2.5", "versionStartIncluding": "17.2.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "D2F29B41-64CF-4CEF-8EDF-BBDBA2FFE8C1", "versionEndExcluding": "17.3.2", "versionStartIncluding": "17.3.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "145E52CC-F503-446E-A760-1C01753DA938", "versionEndExcluding": "17.3.2", "versionStartIncluding": "17.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@gitlab.com"}