CVE-2024-4612

Published: Sep 12, 2024Modified: Nov 21, 2024

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

An issue has been discovered in GitLab EE affecting all versions starting from 12.9 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. Under certain conditions an open redirect vulnerability could allow for an account takeover by breaking the OAuth flow.

Affected (3)

Products: Gitlab: Gitlab

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Gitlab Gitlab	From 12.9.0 to 17.1.7
Gitlab Gitlab	From 17.2.0 to 17.2.5
Gitlab Gitlab	From 17.3.0 to 17.3.2

Related CWEs

URL Redirection to Untrusted Site ('Open Redirect')

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

References (3)

https://gitlab.com/gitlab-org/gitlab/-/issues/460707

Source: cve@gitlab.com

Broken Link

https://hackerone.com/reports/2479857

Source: cve@gitlab.com

Permissions Required

https://about.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.