PT-2024-7078 · Gitlab · Gitlab Ce/Ee+1

Js_Noob

Published

2024-05-16

Updated

2024-12-12

CVE-2024-5005

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions GitLab EE/CE versions 11.4 through 17.2.8 GitLab EE/CE versions 17.3 through 17.3.4 GitLab EE/CE versions 17.4 through 17.4.1

Description The issue is related to errors in the representation of given functions in the GitLab platform, allowing a remote attacker to gain unauthorized access to protected information. Specifically, it was possible for guest users to disclose project templates using the API.

Recommendations For GitLab EE/CE versions 11.4 through 17.2.8, update to version 17.2.9 or later. For GitLab EE/CE versions 17.3 through 17.3.4, update to version 17.3.5 or later. For GitLab EE/CE versions 17.4 through 17.4.1, update to version 17.4.2 or later. As a temporary workaround, consider restricting access to the API for guest users until a patch is available.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-684

Related Identifiers

BDU:2024-08337

BIT-GITLAB-2024-5005

CVE-2024-5005

Affected Products

Gitlab

Gitlab Ce/Ee

PT-2024-7078 · Gitlab · Gitlab Ce/Ee+1

CVE-2024-5005

Weakness Enumeration

Related Identifiers

Affected Products

References · 15