CVE-2024-5257

Published: Jul 11, 2024Modified: Nov 21, 2024

2.7

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Exploitability: 1.2 / Impact: 1.4

Source: NVD

Description

An issue was discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.0.4 and from 17.1 prior to 17.1.2 where a Developer user with `admin_compliance_framework` custom role may have been able to modify the URL for a group namespace.

Affected (4)

Products: Gitlab: Gitlab

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Gitlab Gitlab	From 17.0.0 to 17.0.4
Gitlab Gitlab	From 17.1.0 to 17.1.2
Gitlab Gitlab	From 17.0.0 to 17.0.4
Gitlab Gitlab	From 17.1.0 to 17.1.2

Related CWEs

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (4)

https://gitlab.com/gitlab-org/gitlab/-/issues/463149

Source: cve@gitlab.com

Broken Link

https://hackerone.com/reports/2513934

Source: cve@gitlab.com

Permissions Required

https://gitlab.com/gitlab-org/gitlab/-/issues/463149

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

https://hackerone.com/reports/2513934

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions Required

Timeline

No history available yet.