CVE-2024-6389 — Exposure of Sensitive System Information to an Unauthorized Control Sphere in Gitlab

CWE-497 — Exposure of Sensitive System Information to an Unauthorized Control Sphere5 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 80.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab

Timeline

PublishedSep 12

Description

An issue was discovered in GitLab-CE/EE affecting all versions starting with 17.0 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. An attacker as a guest user was able to access commit information via the release Atom endpoint, contrary to permissions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶CVEListV5gitlab/gitlab17.1 — 17.1.7+2

▶NVDgitlab/gitlab17.0.0 — 17.1.7+2

▶debiandebian/gitlab< gitlab 17.3.5-2 (sid)

▶gitlabgitlab/gitlab

🔴Vulnerability Details

OSV

CVE-2024-6389: An issue was discovered in GitLab-CE/EE affecting all versions starting with 17↗2024-09-12

▶

GHSA

GHSA-gq8g-2h99-85rv: An issue was discovered in GitLab-CE/EE affecting all versions starting with 17↗2024-09-12

▶

📋Vendor Advisories

GitLab

CVE-2024-6389: An issue was discovered in GitLab-CE/EE affecting all versions starting with 17.0 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. An attack↗2024-09-12

▶

Debian

CVE-2024-6389: gitlab - An issue was discovered in GitLab-CE/EE affecting all versions starting with 17....↗2024

▶