Unauthorized Access to Sensitive Data Due to Overly Broad Token Scopes in GitLab CE/EE
CVE-2024-11669

7.5HIGH

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 26 November 2024

Summary

A security issue has been identified in GitLab CE/EE that affects multiple versions. The vulnerability arises from an overly broad application of token scopes which may allow unauthorized access to sensitive data through certain API endpoints. As a result, users may face risks related to data confidentiality and integrity. It is crucial for users of the affected products to evaluate their configurations and implement necessary security measures to mitigate potential exposure risks.

Affected Version(s)

GitLab 16.9.8 < 17.4.5

GitLab 17.5 < 17.5.3

GitLab 17.6 < 17.6.1

References

https://gitlab.com/gitlab-org/gitlab/-/issues/501528

issue-trackingpermissions-required

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 26, 2024
Vulnerability Reserved
Nov 25, 2024

Credit

This vulnerability has been discovered internally by GitLab team member Dylan Griffith.