Open Redirect Vulnerability in GitLab CE/EE
CVE-2024-9387

6.4MEDIUM

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 12 December 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

CVE-2024-9387 is a security vulnerability found in GitLab Community Edition (CE) and Enterprise Edition (EE) that affects multiple versions from 11.8 through 17.4.6, 17.5 through 17.5.4, and 17.6 through 17.6.2. This vulnerability allows an attacker to exploit an open redirect condition in the releases API endpoint. By manipulating this endpoint, the attacker can redirect users to unauthorized external sites. The flaw has significant implications for API security, necessitating urgent attention from users of the affected GitLab versions.

Affected Version(s)

GitLab 11.8 < 17.4.6

GitLab 17.5 < 17.5.4

GitLab 17.6 < 17.6.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-9387 - Proof of Concept

References

https://gitlab.com/gitlab-org/gitlab/-/issues/496659

issue-trackingpermissions-required

https://hackerone.com/reports/2732235

technical-descriptionexploitpermissions-required

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

🟡
Public PoC available
Dec 12, 2024
👾
Exploit known to exist
Dec 12, 2024
Vulnerability published
Dec 12, 2024

Credit

Thanks [swiftee](https://hackerone.com/swiftee) for reporting this vulnerability through our HackerOne bug bounty program