CVE-2024-11931

Published: Jan 24, 2025Modified: Aug 5, 2025

5.3

Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 1.6 / Impact: 3.6

Source: NVD

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.6.4, from 17.7 prior to 17.7.3, and from 17.8 prior to 17.8.1. Under certain conditions, it may have been possible for users with developer role to exfiltrate protected CI variables via CI lint.

Affected (6)

Products: Gitlab: Gitlab

Gitlab

1 product

Gitlab

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Gitlab Gitlab	From 17.0.0 to 17.6.4
Gitlab Gitlab	From 17.7.0 to 17.7.3
Gitlab Gitlab	From 17.0.0 to 17.6.4
Gitlab Gitlab	From 17.7.0 to 17.7.3
Gitlab Gitlab	Version 17.8.0
Gitlab Gitlab	Version 17.8.0

Related CWEs

CWE-1220

Insufficient Granularity of Access Control

The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.

References (2)

https://gitlab.com/gitlab-org/gitlab/-/issues/480901

Source: cve@gitlab.com

ExploitIssue TrackingPatch

https://about.gitlab.com/releases/2025/01/22/patch-release-gitlab-17-8-1-released/https://about.gitlab.com/releases/2025/01/22/patch-release-gitlab-17-8-1-released/

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Broken Link

Timeline

No history available yet.