GitLab Permission Check Vulnerability Affects User Repositories

CVE-2024-3035

8.1HIGH

Key Information

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 8 August 2024

Summary

A permission check vulnerability in GitLab CE/EE affecting all versions starting from 8.12 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allowed for LFS tokens to read and write to the user owned repositories.

Affected Version(s)

GitLab < 17.0.6

GitLab < 17.1.4

GitLab < 17.2.2

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Aug 8, 2024
Vulnerability Reserved.
Mar 28, 2024

Collectors

NVD DatabaseMitre Database

Credit

Thanks [pwnie](https://hackerone.com/pwnie) for reporting this vulnerability through our HackerOne bug bounty program