Denial of Service Vulnerability in GitLab CE/EE Affects Multiple Versions
CVE-2024-11828

7.5HIGH

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 26 November 2024

Badges

👾 Exploit Exists

Summary

CVE-2024-11828 is a high-risk denial of service (DoS) vulnerability identified in GitLab CE/EE. This issue affects all versions from 13.2.4 prior to 17.4.5, from 17.5 before 17.5.3, and from 17.6 before 17.6.1. An attacker can exploit this vulnerability by sending forged API calls, leading to a potential DoS condition that can disrupt services and impact availability. This vulnerability represents a regression of a prior patch, making it crucial for users to update their systems to mitigate possible exploitation.

Affected Version(s)

GitLab 13.2.4 < 17.4.5

GitLab 17.5 < 17.5.3

GitLab 17.6 < 17.6.1

References

https://gitlab.com/gitlab-org/gitlab/-/issues/443559

issue-trackingpermissions-required

https://hackerone.com/reports/2380264

technical-descriptionexploitpermissions-required

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Nov 26, 2024
👾
Exploit known to exist
Nov 26, 2024
Vulnerability published
Nov 26, 2024
Vulnerability Reserved
Nov 26, 2024

Credit

Thanks [luryus](https://hackerone.com/luryus) for reporting this vulnerability through our HackerOne bug bounty program