CVE-2024-3035

A permission check vulnerability in GitLab CE/EE affecting all versions starting from 8.12 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allowed for LFS tokens to read and write to the user owned repositories.
References
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

History

29 Aug 2024, 15:55

Type Values Removed Values Added
References () https://gitlab.com/gitlab-org/gitlab/-/issues/452297 - () https://gitlab.com/gitlab-org/gitlab/-/issues/452297 - Broken Link
References () https://hackerone.com/reports/2424715 - () https://hackerone.com/reports/2424715 - Permissions Required
First Time Gitlab
Gitlab gitlab
CPE cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
CVSS v2 : unknown
v3 : 6.8
v2 : unknown
v3 : 8.1

08 Aug 2024, 13:04

Type Values Removed Values Added
Summary
  • (es) Una vulnerabilidad de verificación de permisos en GitLab CE/EE que afecta a todas las versiones desde 8.12 anterior a 17.0.6, 17.1 anterior a 17.1.4 y 17.2 anterior a 17.2.2 permitió que los tokens LFS leyeran y escribieran en los repositorios propiedad del usuario.

08 Aug 2024, 11:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-08 11:15

Updated : 2024-08-29 15:55


NVD link : CVE-2024-3035

Mitre link : CVE-2024-3035

CVE.ORG link : CVE-2024-3035


JSON object : View

Products Affected

gitlab

  • gitlab
CWE
CWE-639

Authorization Bypass Through User-Controlled Key