Incorrect Authorization in GitLab
CVE-2024-2743

9.1CRITICAL

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 12 September 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A vulnerability has been identified in GitLab-EE that affects versions starting from 13.3 up to 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. This issue can enable attackers to alter on-demand DAST scans without appropriate permissions, leading to potential exposure of sensitive variables. The implications of this vulnerability necessitate immediate attention to prevent unauthorized access and ensure the integrity of data security practices.

Affected Version(s)

GitLab 13.3 < 17.1.7

GitLab 17.2 < 17.2.5

GitLab 17.3 < 17.3.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-2743 - Proof of Concept

References

https://gitlab.com/gitlab-org/gitlab/-/issues/451014

issue-trackingpermissions-required

https://hackerone.com/reports/2411756

technical-descriptionexploitpermissions-required

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Sep 12, 2024
👾
Exploit known to exist
Sep 12, 2024
Vulnerability published
Sep 12, 2024

Credit

Thanks [0xn3va](https://hackerone.com/0xn3va) for reporting this vulnerability through our HackerOne bug bounty program