CVE-2024-3035

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 8.12 through 17.0.5 GitLab CE/EE versions 17.1 through 17.1.3 GitLab CE/EE versions 17.2 through 17.2.1

Description The issue is related to an error in handling LFS tokens, which can be exploited by a remote attacker to gain unauthorized access to protected information and write arbitrary files. This is a permission check vulnerability that affects the ability of LFS tokens to read and write to user-owned repositories.

Recommendations For GitLab CE/EE versions 8.12 through 17.0.5, update to version 17.0.6 or later. For GitLab CE/EE versions 17.1 through 17.1.3, update to version 17.1.4 or later. For GitLab CE/EE versions 17.2 through 17.2.1, update to version 17.2.2 or later. As a temporary workaround, consider restricting access to LFS tokens to minimize the risk of exploitation.