Products
GitLab CE/EE
- 17.0 - 17.0.3
- 17.1 - 17.1.1
Source
cve@gitlab.com
Tags
CVE-2024-5257 details
Published : July 11, 2024, 7:15 a.m.
Last Modified : July 11, 2024, 1:05 p.m.
Last Modified : July 11, 2024, 1:05 p.m.
Description
An issue was discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.0.4 and from 17.1 prior to 17.1.2 where a Developer user with `admin_compliance_framework` custom role may have been able to modify the URL for a group namespace.
CVSS Score
| 1 | 2 | 3 | 4.9 | 5 | 6 | 7 | 8 | 9 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|---|---|
| CWE-284 | Improper Access Control | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
CVSS Data
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
Base Score
4.9
Exploitability Score
1.2
Impact Score
3.6
Base Severity
MEDIUM
Vector String : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
References
| URL | Source |
|---|---|
| https://gitlab.com/gitlab-org/gitlab/-/issues/463149 | cve@gitlab.com |
| https://hackerone.com/reports/2513934 | cve@gitlab.com |
This website uses the NVD API, but is not approved or certified by it.