Unauthorized Access via Long-Lived Connections Found in GitLab

CVE-2024-11668

5.3MEDIUM

Key Information

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 26 November 2024

Summary

An issue has been discovered in GitLab CE/EE affecting all versions from 16.11 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Long-lived connections could potentially bypass authentication controls, allowing unauthorized access to streaming results.

Affected Version(s)

GitLab < 17.4.5

GitLab < 17.5.3

GitLab < 17.6.1

Refferences

https://gitlab.com/gitlab-org/gitlab/-/issues/456922

issue-trackingpermissions-required

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 26, 2024
Vulnerability Reserved
Nov 25, 2024

Collectors

NVD DatabaseMitre Database

Credit

This vulnerability has been discovered internally by GitLab team members Dylan Griffith and Heinrich Lee Yu