Products
GitLab CE/EE
- 11.8 - 16.11.6
- 17.0 - 17.0.4
- 17.1 - 17.1.2
Source
cve@gitlab.com
Tags
CVE-2024-6595 details
Published : July 17, 2024, 2:15 a.m.
Last Modified : July 17, 2024, 1:34 p.m.
Last Modified : July 17, 2024, 1:34 p.m.
Description
An issue was discovered in GitLab CE/EE affecting all versions starting from 11.8 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2 where it was possible to upload an NPM package with conflicting package data.
CVSS Score
| 1 | 2 | 3.0 | 4 | 5 | 6 | 7 | 8 | 9 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|---|---|
| CWE-427 | Uncontrolled Search Path Element | The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors. |
CVSS Data
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
Base Score
3.0
Exploitability Score
1.3
Impact Score
1.4
Base Severity
LOW
Vector String : CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N
References
| URL | Source |
|---|---|
| https://blog.vlt.sh/blog/the-massive-hole-in-the-npm-ecosystem | cve@gitlab.com |
| https://gitlab.com/gitlab-org/gitlab/-/issues/417975 | cve@gitlab.com |
This website uses the NVD API, but is not approved or certified by it.