CVE-2024-8640

EPSS 0.16%
Published 12.09.2024 17:15:06
Last modified 21.11.2024 09:53:29
Source cve@gitlab.com
Teams watchlist Login
Open Login

An issue has been discovered in GitLab EE affecting all versions starting from 16.11 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. Due to incomplete input filtering, it was possible to inject commands into a connected Cube server.

Affected products Warnungen 0 Metrics 3 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Gitlab ≫ Gitlab SwEditionenterprise Version >= 16.11.0 < 17.1.7

Gitlab ≫ Gitlab SwEditionenterprise Version >= 17.2.0 < 17.2.5

Gitlab ≫ Gitlab SwEditionenterprise Version >= 17.3.0 < 17.3.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.16%	0.375

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cve@gitlab.com	8.5	1.8	6	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

https://about.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/

https://gitlab.com/gitlab-org/gitlab/-/issues/486213

Broken Link

https://hackerone.com/reports/2687770

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2024-8640

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-8640

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-8640

EUVD