CVE-2024-4278

An information disclosure issue has been discovered in GitLab EE affecting all versions starting from 16.5 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. A maintainer could obtain a Dependency Proxy password by editing a certain Dependency Proxy setting.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://gitlab.com/gitlab-org/gitlab/-/issues/458484	Broken Link
https://hackerone.com/reports/2466205	Permissions Required

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:17.4.0::::enterprise:::

History

No history.

Information

Published : 2024-09-26 07:15

Updated : 2024-10-08 19:51

NVD link : CVE-2024-4278

Mitre link : CVE-2024-4278

CVE.ORG link : CVE-2024-4278

JSON object : View

Products Affected

gitlab

gitlab

CWE

CWE-821

Incorrect Synchronization

NVD-CWE-Other

{"id": "CVE-2024-4278", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve@gitlab.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.2}]}, "published": "2024-09-26T07:15:02.603", "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/458484", "tags": ["Broken Link"], "source": "cve@gitlab.com"}, {"url": "https://hackerone.com/reports/2466205", "tags": ["Permissions Required"], "source": "cve@gitlab.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "cve@gitlab.com", "description": [{"lang": "en", "value": "CWE-821"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "An information disclosure issue has been discovered in GitLab EE affecting all versions starting from 16.5 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. A maintainer could obtain a Dependency Proxy password by editing a certain Dependency Proxy setting."}, {"lang": "es", "value": "Se ha descubierto un problema de divulgaci\u00f3n de informaci\u00f3n en GitLab EE que afecta a todas las versiones a partir de la 16.5 anterior a la 17.2.8, de la 17.3 anterior a la 17.3.4 y de la 17.4 anterior a la 17.4.1. Un mantenedor podr\u00eda obtener una contrase\u00f1a de proxy de dependencia editando una determinada configuraci\u00f3n de proxy de dependencia."}], "lastModified": "2024-10-08T19:51:38.403", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "33ABDFC4-58F2-4F3E-B04C-CA977443E5ED", "versionEndExcluding": "17.2.8", "versionStartIncluding": "16.5.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "27CB6247-D7EE-40BB-BF4A-8CE5350E31BF", "versionEndExcluding": "17.3.4", "versionStartIncluding": "17.3.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:17.4.0:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "3AC3130C-A3AA-403A-85D9-92FD2B8BC091"}], "operator": "OR"}]}], "sourceIdentifier": "cve@gitlab.com"}