CVE-2024-11669

An issue was discovered in GitLab CE/EE affecting all versions from 16.9.8 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Certain API endpoints could potentially allow unauthorized access to sensitive data due to overly broad application of token scopes.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.2 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://gitlab.com/gitlab-org/gitlab/-/issues/501528	Broken Link

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:17.6.0::::community:::
	cpe:2.3:a:gitlab:gitlab:17.6.0::::enterprise:::

History

12 Dec 2024, 21:11

Type	Values Removed	Values Added
References	~~() https://gitlab.com/gitlab-org/gitlab/-/issues/501528 -~~	() https://gitlab.com/gitlab-org/gitlab/-/issues/501528 - Broken Link
First Time		Gitlab Gitlab gitlab
CWE		NVD-CWE-noinfo
CPE		cpe:2.3:a:gitlab:gitlab:::::community:::* cpe:2.3:a:gitlab:gitlab:17.6.0::::community::: cpe:2.3:a:gitlab:gitlab:17.6.0::::enterprise::: cpe:2.3:a:gitlab:gitlab:::::enterprise:::*

Information

Published : 2024-11-26 19:15

Updated : 2024-12-12 21:11

NVD link : CVE-2024-11669

Mitre link : CVE-2024-11669

CVE.ORG link : CVE-2024-11669

JSON object : View

Products Affected

gitlab

gitlab

CWE

CWE-863

Incorrect Authorization

NVD-CWE-noinfo

{"id": "CVE-2024-11669", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve@gitlab.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-11-26T19:15:22.367", "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/501528", "tags": ["Broken Link"], "source": "cve@gitlab.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "cve@gitlab.com", "description": [{"lang": "en", "value": "CWE-863"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in GitLab CE/EE affecting all versions from 16.9.8 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Certain API endpoints could potentially allow unauthorized access to sensitive data due to overly broad application of token scopes."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en GitLab CE/EE que afectaba a todas las versiones desde la 16.9.8 hasta la 17.4.5, desde la 17.5 hasta la 17.5.3 y desde la 17.6 hasta la 17.6.1. Ciertos endpoints de API podr\u00edan permitir el acceso no autorizado a datos confidenciales debido a la aplicaci\u00f3n demasiado amplia de los alcances de los tokens."}], "lastModified": "2024-12-12T21:11:00.737", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "555160BC-DF24-4025-ACB6-4B79907F7094", "versionEndExcluding": "17.4.5", "versionStartIncluding": "16.9.8"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "54A6B5EA-1A08-4D43-9C2B-CAC5DE109873", "versionEndExcluding": "17.4.5", "versionStartIncluding": "16.9.8"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "5C1F85A0-709A-4C88-9C40-93D3C47AFD54", "versionEndExcluding": "17.5.3", "versionStartIncluding": "17.5.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "305F5CB5-5B11-4AA7-ABAE-D4B9A05F6B4A", "versionEndExcluding": "17.5.3", "versionStartIncluding": "17.5.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:17.6.0:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "3A39B04B-D109-467A-82E1-3FE6CBA48FEE"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:17.6.0:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "1212AE23-98AB-4E7A-AAB5-0AD266DFC7D4"}], "operator": "OR"}]}], "sourceIdentifier": "cve@gitlab.com"}