CVE-2024-8647 — Path Traversal in Gitlab

CWE-22 — Path Traversal5 documents5 sources

Severity

5.4MEDIUMNVD

EPSS

0.1%

top 66.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab

Timeline

PublishedDec 12

Description

An issue was discovered in GitLab affecting all versions starting 15.2 to 17.4.6, 17.5 prior to 17.5.4, and 17.6 prior to 17.6.2. On self hosted installs, it was possible to leak the anti-CSRF-token to an external site while the Harbor integration was enabled.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages4 packages

▶CVEListV5gitlab/gitlab15.2 — 17.4.6+2

▶NVDgitlab/gitlab15.2.0 — 17.4.6+2

▶debiandebian/gitlab< gitlab 17.5.5-1 (sid)

▶gitlabgitlab/gitlab

🔴Vulnerability Details

GHSA

GHSA-4xpw-245v-vp2w: An issue was discovered in GitLab affecting all versions starting 15↗2024-12-12

▶

OSV

CVE-2024-8647: An issue was discovered in GitLab affecting all versions starting 15↗2024-12-12

▶

📋Vendor Advisories

GitLab

CVE-2024-8647: An issue was discovered in GitLab affecting all versions starting 15.2 to 17.4.6, 17.5 prior to 17.5.4, and 17.6 prior to 17.6.2. On self hosted insta↗2024-12-12

▶

Debian

CVE-2024-8647: gitlab - An issue was discovered in GitLab affecting all versions starting 15.2 to 17.4.6...↗2024

▶