CVE-2024-0861

Published: Feb 22, 2024Modified: Nov 21, 2024

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

An issue has been discovered in GitLab EE affecting all versions starting from 16.4 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. Users with the `Guest` role can change `Custom dashboard projects` settings contrary to permissions.

Affected (3)

Products: Gitlab: Gitlab

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Gitlab Gitlab	From 16.4.0 to 16.7.6
Gitlab Gitlab	From 16.8.0 to 16.8.3
Gitlab Gitlab	Version 16.9.0

Related CWEs

Direct Request ('Forced Browsing')

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

References (4)

https://gitlab.com/gitlab-org/gitlab/-/issues/439240

Source: cve@gitlab.com

Permissions Required

https://hackerone.com/reports/2316435

Source: cve@gitlab.com

Permissions Required

https://gitlab.com/gitlab-org/gitlab/-/issues/439240

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions Required

https://hackerone.com/reports/2316435

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions Required

Timeline

No history available yet.