SecuriTricks - CVE-2024-4278

Description

An information disclosure issue has been discovered in GitLab EE affecting all versions starting from 16.5 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. A maintainer could obtain a Dependency Proxy password by editing a certain Dependency Proxy setting.

Product(s) Impacted

Vendor	Product	Versions
Gitlab	Gitlab	*, 17.4.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-662

Improper Synchronization

The product utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.

CWE-821

Incorrect Synchronization

The product utilizes a shared resource in a concurrent manner, but it does not correctly synchronize access to the resource.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	gitlab	gitlab	/	/	/	/	enterprise	/	/	/
a	gitlab	gitlab	/	/	/	/	enterprise	/	/	/
a	gitlab	gitlab	17.4.0	/	/	/	enterprise	/	/	/

References

https://gitlab.com/gitlab-org/gitlab/-/issues/458484

https://hackerone.com/reports/2466205

CVSS Score

2.7 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: HIGH
Scope: UNCHANGED
Confidentiality Impact: LOW
Integrity Impact: NONE
Availability Impact: NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

View Vector String

Timeline

Published: Sept. 26, 2024, 7:15 a.m.
Last Modified: Oct. 8, 2024, 7:51 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cve@gitlab.com

CVE-2024-4278