PT-2024-8871 · Gitlab · Gitlab Ce/Ee+1

Published

2024-11-26

Updated

2024-12-12

CVE-2024-8114

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 8.12 through 17.4.5 GitLab CE/EE versions 17.5 through 17.5.3 GitLab CE/EE versions 17.6 through 17.6.1

Description: The issue allows an attacker with access to a victim's Personal Access Token (PAT) to escalate privileges. This problem is related to the lack of authorization procedures. An estimated 3.7M+ services and 375k+ results are found to be potentially affected.

Recommendations: For GitLab CE/EE versions 8.12 through 17.4.5, update to a version after 17.4.5. For GitLab CE/EE versions 17.5 through 17.5.3, update to a version after 17.5.3. For GitLab CE/EE versions 17.6 through 17.6.1, update to a version after 17.6.1. As a temporary workaround, consider restricting access to Personal Access Tokens (PAT) until a patch is available.

Exploit

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

BDU:2024-10538

BIT-GITLAB-2024-8114

CVE-2024-8114

Affected Products

Gitlab

Gitlab Ce/Ee

PT-2024-8871 · Gitlab · Gitlab Ce/Ee+1

CVE-2024-8114

Weakness Enumeration

Related Identifiers

Affected Products

References · 22