CVE-2024-4278

An information disclosure issue has been discovered in GitLab EE affecting all versions starting from 16.5 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. A maintainer could obtain a Dependency Proxy password by editing a certain Dependency Proxy setting.

CVSS v3 2.7 LOW

2.7^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://gitlab.com/gitlab-org/gitlab/-/issues/458484	Broken Link
https://hackerone.com/reports/2466205	Permissions Required

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:17.4.0::::enterprise:::

History

26 Sep 2024, 16:55

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~5.5~~	v2 : unknown v3 : 2.7
References	~~() https://gitlab.com/gitlab-org/gitlab/-/issues/458484 -~~	() https://gitlab.com/gitlab-org/gitlab/-/issues/458484 - Broken Link
References	~~() https://hackerone.com/reports/2466205 -~~	() https://hackerone.com/reports/2466205 - Permissions Required
CPE		cpe:2.3:a:gitlab:gitlab:17.4.0::::enterprise::: cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
First Time		Gitlab Gitlab gitlab
CWE		CWE-662

26 Sep 2024, 13:32

Type	Values Removed	Values Added
Summary		(es) Se ha descubierto un problema de divulgación de información en GitLab EE que afecta a todas las versiones a partir de la 16.5 anterior a la 17.2.8, de la 17.3 anterior a la 17.3.4 y de la 17.4 anterior a la 17.4.1. Un mantenedor podría obtener una contraseña de proxy de dependencia editando una determinada configuración de proxy de dependencia.

26 Sep 2024, 07:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-09-26 07:15

Updated : 2024-09-26 16:55

NVD link : CVE-2024-4278

Mitre link : CVE-2024-4278

CVE.ORG link : CVE-2024-4278

JSON object : View

Products Affected

gitlab

gitlab

CWE

CWE-662

Improper Synchronization

CWE-821

Incorrect Synchronization

{"id": "CVE-2024-4278", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.2}, {"type": "Secondary", "source": "cve@gitlab.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2024-09-26T07:15:02.603", "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/458484", "tags": ["Broken Link"], "source": "cve@gitlab.com"}, {"url": "https://hackerone.com/reports/2466205", "tags": ["Permissions Required"], "source": "cve@gitlab.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-662"}]}, {"type": "Secondary", "source": "cve@gitlab.com", "description": [{"lang": "en", "value": "CWE-821"}]}], "descriptions": [{"lang": "en", "value": "An information disclosure issue has been discovered in GitLab EE affecting all versions starting from 16.5 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. A maintainer could obtain a Dependency Proxy password by editing a certain Dependency Proxy setting."}, {"lang": "es", "value": "Se ha descubierto un problema de divulgaci\u00f3n de informaci\u00f3n en GitLab EE que afecta a todas las versiones a partir de la 16.5 anterior a la 17.2.8, de la 17.3 anterior a la 17.3.4 y de la 17.4 anterior a la 17.4.1. Un mantenedor podr\u00eda obtener una contrase\u00f1a de proxy de dependencia editando una determinada configuraci\u00f3n de proxy de dependencia."}], "lastModified": "2024-09-26T16:55:18.377", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "33ABDFC4-58F2-4F3E-B04C-CA977443E5ED", "versionEndExcluding": "17.2.8", "versionStartIncluding": "16.5.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "27CB6247-D7EE-40BB-BF4A-8CE5350E31BF", "versionEndExcluding": "17.3.4", "versionStartIncluding": "17.3.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:17.4.0:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "3AC3130C-A3AA-403A-85D9-92FD2B8BC091"}], "operator": "OR"}]}], "sourceIdentifier": "cve@gitlab.com"}