CVE-2024-1525

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 16.1 through 16.7.5 GitLab CE/EE versions 16.8 through 16.8.2 GitLab CE/EE versions 16.9 through 16.9.0

Description An issue has been discovered affecting GitLab CE/EE, where under some specialized conditions, an LDAP user may be able to reset their password using their verified secondary email address and sign-in using direct authentication with the reset password, bypassing LDAP. This is related to insufficient access restriction in the LDAP authentication implementation. The issue may allow a remote attacker to reset the password of an arbitrary user and gain access to the system.

Recommendations For GitLab CE/EE versions 16.1 through 16.7.5, update to version 16.7.6 or later. For GitLab CE/EE versions 16.8 through 16.8.2, update to version 16.8.3 or later. For GitLab CE/EE versions 16.9 through 16.9.0, update to version 16.9.1 or later.