Unrated severityNVD Advisory· Published Nov 26, 2024· Updated Nov 30, 2024
Incorrect Authorization in GitLab
CVE-2024-11669
Description
An issue was discovered in GitLab CE/EE affecting all versions from 16.9.8 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Certain API endpoints could potentially allow unauthorized access to sensitive data due to overly broad application of token scopes.
Affected products
12cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*range: 16.9.8
- (no CPE)range: >=16.9.8 <17.4.5, >=17.5.0 <17.5.3, >=17.6.0 <17.6.1
- osv-coords10 versionspkg:apk/chainguard/gitlab-docker-machine-17.6pkg:apk/chainguard/gitlab-docker-machine-fips-17.6pkg:apk/chainguard/gitlab-runner-17.6pkg:apk/chainguard/gitlab-runner-fips-17.6pkg:apk/chainguard/gitlab-runner-helper-17.6pkg:apk/chainguard/gitlab-runner-helper-compat-17.6pkg:apk/chainguard/gitlab-runner-helper-fips-17.6pkg:apk/chainguard/gitlab-runner-helper-oci-entrypoint-17.6pkg:apk/chainguard/gitlab-runner-oci-entrypoint-17.6pkg:bitnami/gitlab
< 17.6.1-r0+ 9 more
- (no CPE)range: < 17.6.1-r0
- (no CPE)range: < 17.6.1-r0
- (no CPE)range: < 17.6.1-r0
- (no CPE)range: < 17.6.1-r0
- (no CPE)range: < 17.6.1-r0
- (no CPE)range: < 17.6.1-r0
- (no CPE)range: < 17.6.1-r0
- (no CPE)range: < 17.6.1-r0
- (no CPE)range: < 17.6.1-r0
- (no CPE)range: >= 16.9.8, < 17.4.5
Patches
Vulnerability mechanics
References
1- gitlab.com/gitlab-org/gitlab/-/issues/501528mitreissue-trackingpermissions-required
News mentions
1- GitLab Patch Release: 17.6.1, 17.5.3, 17.4.5GitLab Security Releases · Nov 26, 2024