CVE-2024-0456

EPSS 0.1%
Published 26.01.2024 01:15:09
Last modified 21.11.2024 08:46:37
Source cve@gitlab.com
Teams watchlist Login
Open Login

An authorization vulnerability exists in GitLab versions 14.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. An unauthorized attacker is able to assign arbitrary users to MRs that they created within the project

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Gitlab ≫ Gitlab SwEditioncommunity Version >= 14.0.0 < 16.6.6

Gitlab ≫ Gitlab SwEditionenterprise Version >= 14.0.0 < 16.6.6

Gitlab ≫ Gitlab SwEditioncommunity Version >= 16.7.0 < 16.7.4

Gitlab ≫ Gitlab SwEditionenterprise Version >= 16.7.0 < 16.7.4

Gitlab ≫ Gitlab Version16.8.0 SwEditioncommunity

Gitlab ≫ Gitlab Version16.8.0 SwEditionenterprise

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.1%	0.286

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
cve@gitlab.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE-425 Direct Request ('Forced Browsing')

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released/

Vendor Advisory

https://gitlab.com/gitlab-org/gitlab/-/issues/430726

Broken Link

https://nvd.nist.gov/vuln/detail/CVE-2024-0456

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-0456

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-0456

EUVD