CVE-2024-5470

Published: Jul 11, 2024Modified: Nov 21, 2024

2.7

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Exploitability: 1.2 / Impact: 1.4

Source: NVD

Description

An issue was discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.0.4 and from 17.1 prior to 17.1.2 where a Guest user with `admin_push_rules` permission may have been able to create project-level deploy tokens.

Affected (4)

Products: Gitlab: Gitlab

Gitlab

1 product

Gitlab

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Gitlab Gitlab	From 17.0.0 to 17.0.4
Gitlab Gitlab	From 17.1.0 to 17.1.2
Gitlab Gitlab	From 17.0.0 to 17.0.4
Gitlab Gitlab	From 17.1.0 to 17.1.2

Related CWEs

CWE-284

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (4)

https://gitlab.com/gitlab-org/gitlab/-/issues/464312

Source: cve@gitlab.com

Broken Link

https://hackerone.com/reports/2521480

Source: cve@gitlab.com

Permissions Required

https://gitlab.com/gitlab-org/gitlab/-/issues/464312

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

https://hackerone.com/reports/2521480

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions Required

Timeline

No history available yet.