Unrated severityNVD Advisory· Published Dec 16, 2024· Updated Dec 16, 2024

Incorrect Authorization in GitLab

CVE-2024-8116

Description

An issue has been discovered in GitLab CE/EE affecting all versions from 16.9 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. By using a specific GraphQL query, under specific conditions an unauthorized user can retrieve branch names.

Affected products

GitLab Inc./GitLabv52 versions
cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*range: 16.9
- (no CPE)range: >=16.9 <17.4.6, >=17.5 <17.5.4, >=17.6 <17.6.2
osv-coords8 versions
pkg:apk/chainguard/gitlab-base-fips-17.6 pkg:apk/chainguard/gitlab-cng-fips-17.6 pkg:apk/chainguard/gitlab-container-registry-fips-17.6 pkg:apk/chainguard/gitlab-elasticsearch-indexer-fips-17.6 pkg:apk/chainguard/gitlab-logger-fips-17.6 pkg:apk/chainguard/gitlab-shell-fips-17.6 pkg:apk/chainguard/gitlab-toolbox-fips-17.6 pkg:bitnami/gitlab
< 17.6.5-r0+ 7 more
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: >= 16.9.0, < 17.4.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

hackerone.com/reports/2666216mitretechnical-descriptionexploitpermissions-required
gitlab.com/gitlab-org/gitlab/-/issues/480509mitreissue-trackingpermissions-required

News mentions

GitLab Patch Release: 17.6.2, 17.5.4, 17.4.6
GitLab Security Releases · Dec 11, 2024

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000