Unrated severityNVD Advisory· Published Jul 11, 2024· Updated Sep 18, 2024
Improper Access Control in GitLab
CVE-2024-6385
Description
An issue was discovered in GitLab CE/EE affecting all versions starting from 15.8 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2, which allows an attacker to trigger a pipeline as another user under certain circumstances.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
6cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*range: 15.8
- (no CPE)range: >=15.8, <16.11.6; >=17.0, <17.0.4; >=17.1, <17.1.2
- osv-coords4 versionspkg:bitnami/gitlabpkg:deb/ubuntu/gitlab@8.5.8+dfsg-5?arch=source&distro=esm-apps/xenialpkg:deb/ubuntu/gitlab-agent@16.1.3-2?arch=source&distro=noblepkg:deb/ubuntu/gitlab-agent@16.1.3-2?arch=source&distro=oracular
>= 15.8.0, < 16.11.6+ 3 more
- (no CPE)range: >= 15.8.0, < 16.11.6
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
Patches
Vulnerability mechanics
References
2- hackerone.com/reports/2578672mitretechnical-descriptionexploitpermissions-required
- gitlab.com/gitlab-org/gitlab/-/issues/469217mitreissue-trackingpermissions-required
News mentions
2- GitLab Patch Release: 17.7.1, 17.6.3, 17.5.5GitLab Security Releases · Jan 8, 2025
- GitLab Critical Patch Release: 17.1.2, 17.0.4, 16.11.6GitLab Security Releases · Jul 10, 2024