CVE-2024-0410 — Improper Enforcement of Behavioral Workflow in Gitlab

CWE-841 — Improper Enforcement of Behavioral Workflow CWE-284 — Improper Access Control5 documents5 sources

Severity

7.7HIGHNVD

EPSS

0.0%

top 98.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab

Timeline

PublishedFeb 22

Description

An authorization bypass vulnerability was discovered in GitLab affecting versions 15.1 prior to 16.7.6, 16.8 prior to 16.8.3, and 16.9 prior to 16.9.1. A developer could bypass CODEOWNERS approvals by creating a merge conflict.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:NExploitability: 1.3 | Impact: 5.8

Affected Packages4 packages

▶CVEListV5gitlab/gitlab15.1 — 16.7.6+2

▶NVDgitlab/gitlab15.1.0 — 16.7.6+2

▶debiandebian/gitlab< gitlab 16.8.3-1 (sid)

▶gitlabgitlab/gitlab

🔴Vulnerability Details

GHSA

GHSA-27r2-6rqh-xrg8: An authorization bypass vulnerability was discovered in GitLab affecting versions 15↗2024-02-22

▶

OSV

CVE-2024-0410: An authorization bypass vulnerability was discovered in GitLab affecting versions 15↗2024-02-22

▶

📋Vendor Advisories

GitLab

CVE-2024-0410: An authorization bypass vulnerability was discovered in GitLab affecting versions 15.1 prior to 16.7.6, 16.8 prior to 16.8.3, and 16.9 prior to 16.9.1↗2024-02-22

▶

Debian

CVE-2024-0410: gitlab - An authorization bypass vulnerability was discovered in GitLab affecting version...↗2024

▶