CVE-2024-0410

Published: Feb 22, 2024Modified: Nov 21, 2024

7.7

Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

Exploitability: 1.3 / Impact: 5.8

Source: NVD

Description

An authorization bypass vulnerability was discovered in GitLab affecting versions 15.1 prior to 16.7.6, 16.8 prior to 16.8.3, and 16.9 prior to 16.9.1. A developer could bypass CODEOWNERS approvals by creating a merge conflict.

Affected (3)

Products: Gitlab: Gitlab

Gitlab

1 product

Gitlab

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Gitlab Gitlab	From 15.1.0 to 16.7.6
Gitlab Gitlab	From 16.8.0 to 16.8.3
Gitlab Gitlab	Version 16.9.0

Related CWEs

CWE-841

Improper Enforcement of Behavioral Workflow

The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.

References (4)

https://gitlab.com/gitlab-org/gitlab/-/issues/437988

Source: cve@gitlab.com

Permissions Required

https://hackerone.com/reports/2296778

Source: cve@gitlab.com

Permissions Required

https://gitlab.com/gitlab-org/gitlab/-/issues/437988

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions Required

https://hackerone.com/reports/2296778

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions Required

Timeline

No history available yet.