CVE-2024-1299
published 2024-03-07CVE-2024-1299: A privilege escalation vulnerability was discovered in GitLab affecting versions 16.8 prior to 16.8.4 and 16.9 prior to 16.9.2. It was possible for a user with…
PriorityP349high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EPSS
0.54%
41.3th percentile
A privilege escalation vulnerability was discovered in GitLab affecting versions 16.8 prior to 16.8.4 and 16.9 prior to 16.9.2. It was possible for a user with custom role of `manage_group_access_tokens` to rotate group access tokens with owner privileges.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 16.8.4-1 (sid) | gitlab 16.8.4-1 (sid) |
| gitlab | gitlab | — | — |
| gitlab | gitlab | >= 16.8 < 16.8.4 | 16.8.4 |
| gitlab | gitlab | >= 16.8.0 < 16.8.4 | 16.8.4 |
| gitlab | gitlab | >= 16.9 < 16.9.2 | 16.9.2 |
| gitlab | gitlab | >= 16.9.0 < 16.9.2 | 16.9.2 |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
osv8.1HIGH
vendor_debian6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-27h4-9w4j-cp97: A privilege escalation vulnerability was discovered in GitLab affecting versions 16
ghsa_unreviewed·2024-03-07
CVE-2024-1299 [MEDIUM] CWE-268 GHSA-27h4-9w4j-cp97: A privilege escalation vulnerability was discovered in GitLab affecting versions 16
A privilege escalation vulnerability was discovered in GitLab affecting versions 16.8 prior to 16.8.4 and 16.9 prior to 16.9.2. It was possible for a user with custom role of `manage_group_access_tokens` to rotate group access tokens with owner privileges.
OSV
CVE-2024-1299: A privilege escalation vulnerability was discovered in GitLab affecting versions 16
osv·2024-03-07·CVSS 8.1
CVE-2024-1299 [HIGH] CVE-2024-1299: A privilege escalation vulnerability was discovered in GitLab affecting versions 16
A privilege escalation vulnerability was discovered in GitLab affecting versions 16.8 prior to 16.8.4 and 16.9 prior to 16.9.2. It was possible for a user with custom role of `manage_group_access_tokens` to rotate group access tokens with owner privileges.
GitLab
CVE-2024-1299: A privilege escalation vulnerability was discovered in GitLab affecting versions 16.8 prior to 16.8.4 and 16.9 prior to 16.9.2. It was possible for a
vendor_gitlab·2024-03-07·CVSS 6.5
CVE-2024-1299 [MEDIUM] CWE-268 CVE-2024-1299: A privilege escalation vulnerability was discovered in GitLab affecting versions 16.8 prior to 16.8.4 and 16.9 prior to 16.9.2. It was possible for a
CVE-2024-1299: A privilege escalation vulnerability was discovered in GitLab affecting versions 16.8 prior to 16.8.4 and 16.9 prior to 16.9.2. It was possible for a user with custom role of `manage_group_access_tokens` to rotate group access tokens with owner privileges.
Debian
CVE-2024-1299: gitlab - A privilege escalation vulnerability was discovered in GitLab affecting versions...
vendor_debian·2024·CVSS 6.5
CVE-2024-1299 [MEDIUM] CVE-2024-1299: gitlab - A privilege escalation vulnerability was discovered in GitLab affecting versions...
A privilege escalation vulnerability was discovered in GitLab affecting versions 16.8 prior to 16.8.4 and 16.9 prior to 16.9.2. It was possible for a user with custom role of `manage_group_access_tokens` to rotate group access tokens with owner privileges.
Scope: local
sid: resolved (fixed in 16.8.4-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://about.gitlab.com/releases/2024/03/06/security-release-gitlab-16-9-2-released/https://gitlab.com/gitlab-org/gitlab/-/issues/440745https://hackerone.com/reports/2356976https://about.gitlab.com/releases/2024/03/06/security-release-gitlab-16-9-2-released/https://gitlab.com/gitlab-org/gitlab/-/issues/440745https://hackerone.com/reports/2356976
2024-03-07
Published