CVE-2024-7091
published 2024-07-24CVE-2024-7091: An issue was discovered in GitLab CE/EE affecting all versions starting from 15.6 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2…
PriorityP425medium5CVSS 3.1
AVNACLPRLUINSCCLINAN
EPSS
0.31%
23.0th percentile
An issue was discovered in GitLab CE/EE affecting all versions starting from 15.6 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where it was possible to disclose limited information of an exported group or project to another user.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 17.3.5-2 (sid) | gitlab 17.3.5-2 (sid) |
| gitlab | gitlab | — | — |
| gitlab | gitlab | >= 15.6 < 17.0.5 | 17.0.5 |
| gitlab | gitlab | >= 17.1 < 17.1.3 | 17.1.3 |
| gitlab | gitlab | >= 17.2 < 17.2.1 | 17.2.1 |
| gitlab | gitlab_ce | — | — |
CVSS provenance
nvdv3.15.0MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
osv5.3MEDIUM
vendor_debian4.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
ruby2.7 vulnerabilities
osv·2024-11-21·CVSS 5.3
CVE-2024-35176 ruby2.7 vulnerabilities
ruby2.7 vulnerabilities
USN-7091-1 fixed several vulnerabilities in Ruby. This update provides the
corresponding update for CVE-2024-35176, CVE-2024-41123, CVE-2024-41946 and
CVE-2024-49761 for ruby2.7 in Ubuntu 20.04 LTS.
Original advisory details:
It was discovered that Ruby incorrectly handled parsing of an XML document
that has specific XML characters in an attribute value using REXML gem. An
attacker could use this issue to cause Ruby to crash, resulting in a
denial of service. This issue only affected in Ubuntu 22.04 LTS and Ubuntu
24.04 LTS. (CVE-2024-35176, CVE-2024-39908, CVE-2024-41123)
It was discovered that Ruby incorrectly handled parsing of an XML document
that has many entity expansions with SAX2 or pull parser API. An attacker
could use this issue to cause Ruby to crash
GHSA
GHSA-h8h7-r99g-m28c: An issue was discovered in GitLab CE/EE affecting all versions starting from 15
ghsa_unreviewed·2024-07-25
CVE-2024-7091 [MEDIUM] CWE-200 GHSA-h8h7-r99g-m28c: An issue was discovered in GitLab CE/EE affecting all versions starting from 15
An issue was discovered in GitLab CE/EE affecting all versions starting from 15.6 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where it was possible to disclose limited information of an exported group or project to another user.
GitLab
CVE-2024-7091: An issue was discovered in GitLab CE/EE affecting all versions starting from 15.6 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting fr
vendor_gitlab·2024-07-24·CVSS 4.1
CVE-2024-7091 [MEDIUM] CWE-200 CVE-2024-7091: An issue was discovered in GitLab CE/EE affecting all versions starting from 15.6 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting fr
CVE-2024-7091: An issue was discovered in GitLab CE/EE affecting all versions starting from 15.6 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where it was possible to disclose limited information of an exported group or project to another user.
Debian
CVE-2024-7091: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 15....
vendor_debian·2024·CVSS 4.1
CVE-2024-7091 [MEDIUM] CVE-2024-7091: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 15....
An issue was discovered in GitLab CE/EE affecting all versions starting from 15.6 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where it was possible to disclose limited information of an exported group or project to another user.
Scope: local
sid: resolved (fixed in 17.3.5-2)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-07-24
Published