CVE-2024-7404

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 17.2 through 17.3.7 GitLab CE/EE versions 17.4 through 17.4.4 GitLab CE/EE versions 17.5 through 17.5.2

Description The issue is related to the incorrect limitation of visible layers in the user interface of the GitLab CE/EE platform, which could allow a remote attacker to gain unauthorized access to the API via the Device OAuth flow. This could potentially allow an attacker to gain full API access as the victim.

Recommendations For GitLab CE/EE versions 17.2 through 17.3.7, update to version 17.3.7 or later. For GitLab CE/EE versions 17.4 through 17.4.4, update to version 17.4.4 or later. For GitLab CE/EE versions 17.5 through 17.5.2, update to version 17.5.2 or later. As a temporary workaround, consider restricting access to the Device OAuth flow until a patch is available.