PT-2024-5349 · Gitlab · Gitlab Ce/Ee+1
Ashish_R_Padelkar
·
Published
2024-07-10
·
Updated
2024-07-13
·
CVE-2024-2880
CVSS v2.0
4.0
Medium
| Vector | AV:N/AC:L/Au:S/C:N/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
GitLab CE/EE versions 16.5 through 16.11.6
GitLab CE/EE versions 17.0 through 17.0.4
GitLab CE/EE versions 17.1 through 17.1.2
Description
The issue is related to insufficient access control in the
admin group member function of the Group Member Handler component in GitLab. This can allow a remote attacker to ban arbitrary group members. A user with the admin group member custom role permission can exploit this issue.Recommendations
For GitLab CE/EE versions 16.5 through 16.11.6, update to version 16.11.6 or later.
For GitLab CE/EE versions 17.0 through 17.0.4, update to version 17.0.4 or later.
For GitLab CE/EE versions 17.1 through 17.1.2, update to version 17.1.2 or later.
As a temporary workaround, consider restricting the
admin group member custom role permission to minimize the risk of exploitation.Exploit
Fix
Improper Access Control
Incorrect Privilege Assignment
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Gitlab
Gitlab Ce/Ee