GitLab Authorization Vulnerability: Bypass Pipeline Authorization Logic

CVE-2024-5258

4.4MEDIUM

Key Information

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 23 May 2024

Summary

An authorization vulnerability exists within GitLab from versions 16.10 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1 where an authenticated attacker could utilize a crafted naming convention to bypass pipeline authorization logic.

Affected Version(s)

GitLab < 16.10.6

GitLab < 16.11.3

GitLab < 17.0.1

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability Reserved.
May 23, 2024
Vulnerability published.
May 23, 2024

Collectors

NVD DatabaseMitre Database

Credit

Thanks to GitLab Team Member, Andrew Winata for reporting this issue