CVE-2024-8635

A server-side request forgery issue has been discovered in GitLab EE affecting all versions starting from 16.8 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It was possible for an attacker to make requests to internal resources using a custom Maven Dependency Proxy URL
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

History

21 Nov 2024, 09:53

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 6.5
v2 : unknown
v3 : 7.7
References
  • () https://about.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/ -

14 Sep 2024, 15:24

Type Values Removed Values Added
First Time Gitlab gitlab
Gitlab
Summary
  • (es) Se ha descubierto un problema de server-side request forgery en GitLab EE que afecta a todas las versiones a partir de la 16.8 anterior a la 17.1.7, de la 17.2 anterior a la 17.2.5 y de la 17.3 anterior a la 17.3.2. Un atacante podía realizar solicitudes a recursos internos mediante una URL de proxy de dependencia de Maven personalizada
References () https://gitlab.com/gitlab-org/gitlab/-/issues/455273 - () https://gitlab.com/gitlab-org/gitlab/-/issues/455273 - Broken Link
CVSS v2 : unknown
v3 : 7.7
v2 : unknown
v3 : 6.5
CPE cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*

12 Sep 2024, 17:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-12 17:15

Updated : 2024-11-21 09:53


NVD link : CVE-2024-8635

Mitre link : CVE-2024-8635

CVE.ORG link : CVE-2024-8635


JSON object : View

Products Affected

gitlab

  • gitlab
CWE
CWE-918

Server-Side Request Forgery (SSRF)