CVE-2024-0456 — Forced Browsing in Gitlab

CWE-425 — Forced Browsing CWE-285 — Improper Authorization5 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 76.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab

Timeline

PublishedJan 26

Description

An authorization vulnerability exists in GitLab versions 14.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. An unauthorized attacker is able to assign arbitrary users to MRs that they created within the project

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶CVEListV5gitlab/gitlab14.0 — 16.6.6+2

▶NVDgitlab/gitlab14.0.0 — 16.6.6+2

▶debiandebian/gitlab< gitlab 16.6.6-1 (sid)

▶gitlabgitlab/gitlab

🔴Vulnerability Details

OSV

CVE-2024-0456: An authorization vulnerability exists in GitLab versions 14↗2024-01-26

▶

GHSA

GHSA-mr56-56j8-x6r4: An authorization vulnerability exists in GitLab versions 14↗2024-01-26

▶

📋Vendor Advisories

GitLab

CVE-2024-0456: An authorization vulnerability exists in GitLab versions 14.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. An unauthorized attacke↗2024-01-26

▶

Debian

CVE-2024-0456: gitlab - An authorization vulnerability exists in GitLab versions 14.0 prior to 16.6.6, 1...↗2024

▶