Unauthorized Access to Sensitive Data Due to Overly Broad Token Scopes in GitLab CE/EE

CVE-2024-11669

7.5HIGH

Key Information

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 26 November 2024

Summary

An issue was discovered in GitLab CE/EE affecting all versions from 16.9.8 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Certain API endpoints could potentially allow unauthorized access to sensitive data due to overly broad application of token scopes.

Affected Version(s)

GitLab < 17.4.5

GitLab < 17.5.3

GitLab < 17.6.1

Refferences

https://gitlab.com/gitlab-org/gitlab/-/issues/501528

issue-trackingpermissions-required

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 26, 2024
Vulnerability Reserved
Nov 25, 2024

Collectors

NVD DatabaseMitre Database

Credit

This vulnerability has been discovered internally by GitLab team member Dylan Griffith.