PT-2024-5145 · Gitlab · Gitlab Ce/Ee+1
Luke Duncalfe
·
Published
2024-04-24
·
Updated
2024-12-12
·
CVE-2024-4006
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions:
GitLab CE/EE versions 16.7 through 16.9.5
GitLab CE/EE versions 16.10 through 16.10.3
GitLab CE/EE versions 16.11 through 16.11.0
Description:
The issue is related to the GraphQL Subscription Handler component of the GitLab platform, which lacks protection of internal data. This can allow a remote attacker to gain unauthorized access to confidential information. The problem arises because personal access scopes are not honored by GraphQL subscriptions, potentially leading to data exposure.
Recommendations:
For GitLab CE/EE versions 16.7 through 16.9.5, update to version 16.9.6 or later.
For GitLab CE/EE versions 16.10 through 16.10.3, update to version 16.10.4 or later.
For GitLab CE/EE versions 16.11 through 16.11.0, update to version 16.11.1 or later.
Exploit
Fix
Incorrect Authorization
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Gitlab
Gitlab Ce/Ee