Access Control Vulnerability in GitLab CE/EE Revealed

CVE-2024-8650

5.3MEDIUM

Key Information

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 16 December 2024

Summary

CVE-2024-8650 is a high-risk access control vulnerability present in GitLab CE/EE, affecting versions from 15.0 prior to 17.4.6, 17.5 prior to 17.5.4, and 17.6 prior to 17.6.2. This vulnerability allows unauthorized non-member users to view unresolved threads marked as internal notes in public project merge requests. Such exposure could lead to the unintentional disclosure of sensitive information intended only for internal team members, which poses significant security risks. It is imperative for GitLab users to apply the necessary updates to protect against this vulnerability.

Affected Version(s)

GitLab < 17.4.6

GitLab < 17.5.4

GitLab < 17.6.2

Refferences

https://gitlab.com/gitlab-org/gitlab/-/issues/486300

issue-trackingpermissions-required

https://hackerone.com/reports/2705909

technical-descriptionexploitpermissions-required

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 16, 2024
Vulnerability Reserved
Sep 10, 2024

Collectors

NVD DatabaseMitre Database

Credit

Thanks [salh4ckr](https://hackerone.com/salh4ckr) for reporting this vulnerability through our HackerOne bug bounty program