PT-2024-10173 · Gitlab · Gitlab Ce/Ee
Salh4Ck
·
Published
2024-10-09
·
Updated
2024-12-18
·
CVE-2024-8650
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
GitLab CE/EE versions 15.0 through 17.4.5
GitLab CE/EE versions 17.5 through 17.5.3
GitLab CE/EE versions 17.6 through 17.6.1
Description
The issue is related to insufficient authorization procedures in the Public Project Handler component of GitLab, allowing remote attackers to access protected information. Specifically, non-member users can view unresolved threads marked as internal notes in public projects' merge requests.
Recommendations
For GitLab CE/EE versions 15.0 through 17.4.5, update to version 17.4.6 or later.
For GitLab CE/EE versions 17.5 through 17.5.3, update to version 17.5.4 or later.
For GitLab CE/EE versions 17.6 through 17.6.1, update to version 17.6.2 or later.
Exploit
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Gitlab Ce/Ee