CVE-2024-11669

An issue was discovered in GitLab CE/EE affecting all versions from 16.9.8 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Certain API endpoints could potentially allow unauthorized access to sensitive data due to overly broad application of token scopes.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.2 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://gitlab.com/gitlab-org/gitlab/-/issues/501528	Broken Link

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:17.6.0::::community:::
	cpe:2.3:a:gitlab:gitlab:17.6.0::::enterprise:::

History

12 Dec 2024, 21:11

Type	Values Removed	Values Added
CPE		cpe:2.3:a:gitlab:gitlab:::::enterprise:::* cpe:2.3:a:gitlab:gitlab:17.6.0::::enterprise::: cpe:2.3:a:gitlab:gitlab:::::community:::* cpe:2.3:a:gitlab:gitlab:17.6.0::::community:::
CWE		NVD-CWE-noinfo
First Time		Gitlab Gitlab gitlab
Summary		(es) Se descubrió un problema en GitLab CE/EE que afectaba a todas las versiones desde la 16.9.8 hasta la 17.4.5, desde la 17.5 hasta la 17.5.3 y desde la 17.6 hasta la 17.6.1. Ciertos endpoints de API podrían permitir el acceso no autorizado a datos confidenciales debido a la aplicación demasiado amplia de los alcances de los tokens.
References	~~() https://gitlab.com/gitlab-org/gitlab/-/issues/501528 -~~	() https://gitlab.com/gitlab-org/gitlab/-/issues/501528 - Broken Link

26 Nov 2024, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-26 19:15

Updated : 2024-12-12 21:11

NVD link : CVE-2024-11669

Mitre link : CVE-2024-11669

CVE.ORG link : CVE-2024-11669

JSON object : View

Products Affected

gitlab

gitlab

CWE

CWE-863

Incorrect Authorization

NVD-CWE-noinfo

{"id": "CVE-2024-11669", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve@gitlab.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-11-26T19:15:22.367", "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/501528", "tags": ["Broken Link"], "source": "cve@gitlab.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "cve@gitlab.com", "description": [{"lang": "en", "value": "CWE-863"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in GitLab CE/EE affecting all versions from 16.9.8 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Certain API endpoints could potentially allow unauthorized access to sensitive data due to overly broad application of token scopes."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en GitLab CE/EE que afectaba a todas las versiones desde la 16.9.8 hasta la 17.4.5, desde la 17.5 hasta la 17.5.3 y desde la 17.6 hasta la 17.6.1. Ciertos endpoints de API podr\u00edan permitir el acceso no autorizado a datos confidenciales debido a la aplicaci\u00f3n demasiado amplia de los alcances de los tokens."}], "lastModified": "2024-12-12T21:11:00.737", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "555160BC-DF24-4025-ACB6-4B79907F7094", "versionEndExcluding": "17.4.5", "versionStartIncluding": "16.9.8"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "54A6B5EA-1A08-4D43-9C2B-CAC5DE109873", "versionEndExcluding": "17.4.5", "versionStartIncluding": "16.9.8"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "5C1F85A0-709A-4C88-9C40-93D3C47AFD54", "versionEndExcluding": "17.5.3", "versionStartIncluding": "17.5.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "305F5CB5-5B11-4AA7-ABAE-D4B9A05F6B4A", "versionEndExcluding": "17.5.3", "versionStartIncluding": "17.5.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:17.6.0:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "3A39B04B-D109-467A-82E1-3FE6CBA48FEE"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:17.6.0:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "1212AE23-98AB-4E7A-AAB5-0AD266DFC7D4"}], "operator": "OR"}]}], "sourceIdentifier": "cve@gitlab.com"}