CVE-2024-4099

Published: Sep 26, 2024Modified: Oct 4, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

An issue has been discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. An AI feature was found to read unsanitized content in a way that could have allowed an attacker to hide prompt injection.

Affected (3)

Products: Gitlab: Gitlab

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Gitlab Gitlab	From 16.0.0 to 17.2.8
Gitlab Gitlab	From 17.3.0 to 17.3.4
Gitlab Gitlab	Version 17.4.0

Related CWEs

Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

References (2)

https://gitlab.com/gitlab-org/gitlab/-/issues/457798

Source: cve@gitlab.com

Broken Link

https://hackerone.com/reports/2459597

Source: cve@gitlab.com

Permissions Required

Timeline

No history available yet.