Products
GitLab EE
- 16.5 - 17.2.7
- 17.3 - 17.3.3
- 17.4 - 17.4.0
gitlab
- *
gitlab
- 1
- 7
- .
- 4
- .
- 0
Source
cve@gitlab.com
Tags
CVE-2024-4278 details
Last Modified : Sept. 26, 2024, 4:55 p.m.
Description
An information disclosure issue has been discovered in GitLab EE affecting all versions starting from 16.5 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. A maintainer could obtain a Dependency Proxy password by editing a certain Dependency Proxy setting.
CVSS Score
| 1 | 2.7 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|---|---|
| CWE-662 | Improper Synchronization | The product utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes. |
| CWE-821 | Incorrect Synchronization | The product utilizes a shared resource in a concurrent manner, but it does not correctly synchronize access to the resource. |
CVSS Data
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
Base Score
2.7
Exploitability Score
1.2
Impact Score
1.4
Base Severity
LOW
Vector String : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
References
| URL | Source |
|---|---|
| https://gitlab.com/gitlab-org/gitlab/-/issues/458484 | cve@gitlab.com |
| https://hackerone.com/reports/2466205 | cve@gitlab.com |
CPEs
| Type | Vendor | Product | Version | Update | Edition | Language | Software Edition | Target Software | Target Hardware | Other Information |
|---|---|---|---|---|---|---|---|---|---|---|
| a | gitlab | gitlab | / | / | / | / | enterprise | / | / | / |
| a | gitlab | gitlab | / | / | / | / | enterprise | / | / | / |
| a | gitlab | gitlab | 17.4.0 | / | / | / | enterprise | / | / | / |