CVE-2024-6595

Published: Jul 17, 2024Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

An issue was discovered in GitLab CE/EE affecting all versions starting from 11.8 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2 where it was possible to upload an NPM package with conflicting package data.

Affected (6)

Products: Gitlab: Gitlab

1 product

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Gitlab Gitlab	From 11.8.0 to 16.11.6
Gitlab Gitlab	From 17.0.0 to 17.0.4
Gitlab Gitlab	From 17.1.0 to 17.1.2
Gitlab Gitlab	From 11.8.0 to 16.11.6
Gitlab Gitlab	From 17.0.0 to 17.0.4
Gitlab Gitlab	From 17.1.0 to 17.1.2

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

User Interface (UI) Misrepresentation of Critical Information

The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks.

References (4)

https://blog.vlt.sh/blog/the-massive-hole-in-the-npm-ecosystem

Source: cve@gitlab.com

ExploitThird Party Advisory

https://gitlab.com/gitlab-org/gitlab/-/issues/417975

Source: cve@gitlab.com

Issue Tracking

https://blog.vlt.sh/blog/the-massive-hole-in-the-npm-ecosystem

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://gitlab.com/gitlab-org/gitlab/-/issues/417975

Source: af854a3a-2127-422b-91ae-364da2661108

Issue Tracking

Timeline

No history available yet.