PT-2024-37586 · Gitlab · Gitlab Ce/Ee+1
Ashish_R_Padelkar
·
Published
2024-09-12
·
Updated
2024-09-14
·
CVE-2024-6389
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
GitLab-CE/EE versions 17.0 through 17.1.7
GitLab-CE/EE versions 17.2 through 17.2.5
GitLab-CE/EE versions 17.3 through 17.3.2
Description
An issue was discovered in GitLab-CE/EE where an attacker, as a guest user, was able to access commit information via the "release Atom endpoint", contrary to permissions.
Recommendations
For versions 17.0 through 17.1.7, update to version 17.1.7 or later.
For versions 17.2 through 17.2.5, update to version 17.2.5 or later.
For versions 17.3 through 17.3.2, update to version 17.3.2 or later.
As a temporary workaround, consider restricting access to the release Atom endpoint until a patch is available.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Gitlab
Gitlab Ce/Ee