CVE-2024-2177

A Cross Window Forgery vulnerability exists within GitLab CE/EE affecting all versions from 16.3 prior to 16.11.5, 17.0 prior to 17.0.3, and 17.1 prior to 17.1.1. This condition allows for an attacker to abuse the OAuth authentication flow via a crafted payload.

CVSS v3 6.8 MEDIUM

6.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://gitlab.com/gitlab-org/gitlab/-/issues/444467	Exploit Issue Tracking
https://hackerone.com/reports/2383443	Permissions Required
https://gitlab.com/gitlab-org/gitlab/-/issues/444467	Exploit Issue Tracking
https://hackerone.com/reports/2383443	Permissions Required

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:17.1.0::::community:::
	cpe:2.3:a:gitlab:gitlab:17.1.0::::enterprise:::

History

12 Dec 2024, 20:17

Type	Values Removed	Values Added
References	~~() https://gitlab.com/gitlab-org/gitlab/-/issues/444467 -~~	() https://gitlab.com/gitlab-org/gitlab/-/issues/444467 - Exploit, Issue Tracking
References	~~() https://hackerone.com/reports/2383443 -~~	() https://hackerone.com/reports/2383443 - Permissions Required
First Time		Gitlab Gitlab gitlab
CPE		cpe:2.3:a:gitlab:gitlab:::::enterprise:::* cpe:2.3:a:gitlab:gitlab:17.1.0::::enterprise::: cpe:2.3:a:gitlab:gitlab:17.1.0::::community::: cpe:2.3:a:gitlab:gitlab:::::community:::*

21 Nov 2024, 09:09

Type	Values Removed	Values Added
References	~~() https://gitlab.com/gitlab-org/gitlab/-/issues/444467 -~~	() https://gitlab.com/gitlab-org/gitlab/-/issues/444467 -
References	~~() https://hackerone.com/reports/2383443 -~~	() https://hackerone.com/reports/2383443 -
Summary		(es) Existe una vulnerabilidad de falsificación de ventanas cruzadas dentro de GitLab CE/EE que afecta a todas las versiones desde 16.3 anteriores a 16.11.5, 17.0 anteriores a 17.0.3 y 17.1 anteriores a 17.1.1. Esta condición permite que un atacante abuse del flujo de autenticación OAuth mediante un payload manipulado.

09 Jul 2024, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-07-09 14:15

Updated : 2024-12-12 20:17

NVD link : CVE-2024-2177

Mitre link : CVE-2024-2177

CVE.ORG link : CVE-2024-2177

JSON object : View

Products Affected

gitlab

gitlab

CWE

CWE-1021

Improper Restriction of Rendered UI Layers or Frames

6.8 /10