CVE-2024-3035 — Authorization Bypass Through User-Controlled Key in Gitlab

CWE-639 — Authorization Bypass Through User-Controlled Key CWE-20 — Improper Input Validation6 documents6 sources

Severity

8.1HIGHNVD

EPSS

0.0%

top 86.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE

Timeline

PublishedAug 8

Latest updateJun 18

Description

A permission check vulnerability in GitLab CE/EE affecting all versions starting from 8.12 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allowed for LFS tokens to read and write to the user owned repositories.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages5 packages

▶CVEListV5gitlab/gitlab8.12 — 17.0.6+1

▶NVDgitlab/gitlab8.12.0 — 17.0.6+3

▶debiandebian/gitlab< gitlab 17.3.5-2 (sid)

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

GHSA

GHSA-rvj3-54w6-vrw6: A permission check vulnerability in GitLab CE/EE affecting all versions starting from 8↗2024-08-08

▶

OSV

CVE-2024-3035: A permission check vulnerability in GitLab CE/EE affecting all versions starting from 8↗2024-08-08

▶

📋Vendor Advisories

Red Hat

kernel: wifi: mt76: disable napi on driver removal↗2025-06-18

▶

GitLab

CVE-2024-3035: A permission check vulnerability in GitLab CE/EE affecting all versions starting from 8.12 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17↗2024-08-08

▶

Debian

CVE-2024-3035: gitlab - A permission check vulnerability in GitLab CE/EE affecting all versions starting...↗2024

▶