CVE-2024-4024

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 7.8 through 16.9.5 GitLab CE/EE versions 16.10 through 16.10.3 GitLab CE/EE versions 16.11 through 16.11.0

Description: An issue has been discovered in GitLab CE/EE that affects the control of access when Bitbucket is used as an OAuth 2.0 provider. Under certain conditions, an attacker with their Bitbucket account credentials may be able to take over a GitLab account linked to another user's Bitbucket account.

Recommendations: For versions 7.8 through 16.9.5, update to version 16.9.6 or later. For versions 16.10 through 16.10.3, update to version 16.10.4 or later. For versions 16.11 through 16.11.0, update to version 16.11.1 or later. As a temporary workaround, consider restricting the use of Bitbucket as an OAuth 2.0 provider on GitLab until a patch is applied.