cbcvebase.
CVE-2024-4024
published 2024-04-25

CVE-2024-4024: An issue has been discovered in GitLab CE/EE affecting all versions starting from 7.8 before 16.9.6, all versions starting from 16.10 before 16.10.4, all…

PriorityP265high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
14.90%
96.3th percentile
An issue has been discovered in GitLab CE/EE affecting all versions starting from 7.8 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. Under certain conditions, an attacker with their Bitbucket account credentials may be able to take over a GitLab account linked to another user's Bitbucket account, if Bitbucket is used as an OAuth 2.0 provider on GitLab.

Affected

9 ranges
VendorProductVersion rangeFixed in
debiangitlab< gitlab 17.3.5-2 (sid)gitlab 17.3.5-2 (sid)
gitlabgitlab
gitlabgitlab
gitlabgitlab>= 16.10 < 16.10.416.10.4
gitlabgitlab>= 16.10.0 < 16.10.416.10.4
gitlabgitlab>= 16.11 < 16.11.116.11.1
gitlabgitlab>= 7.8 < 16.9.616.9.6
gitlabgitlab>= 7.8.0 < 16.9.616.9.6
gitlabgitlab_ce

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor GitLab OAuth 2.0 authentication flows where Bitbucket is configured as the provider; flag account login events where the authenticating Bitbucket identity does not match the GitLab account owner's previously linked Bitbucket identity.
  • Alert on GitLab account ownership changes (email, SSH key, or token additions) immediately following a Bitbucket OAuth login event, which may indicate a successful account takeover via this flaw.
  • ·The vulnerability only applies when Bitbucket is explicitly configured as an OAuth 2.0 provider on the GitLab instance; instances not using Bitbucket OAuth are not affected.
  • ·Affected GitLab CE/EE versions span a very wide range (from 7.8 onward); patched versions are 16.9.6+, 16.10.4+, and 16.11.1+. Debian sid resolved the issue in package version 17.3.5-2.
  • ·Exploitation requires the attacker to already possess valid Bitbucket account credentials; the flaw is in how GitLab maps those credentials to a GitLab account, not in credential theft itself.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian7.3HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.