Unrated severityNVD Advisory· Published Dec 12, 2024· Updated Dec 12, 2024
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in GitLab
CVE-2024-8647
Description
An issue was discovered in GitLab affecting all versions starting 15.2 to 17.4.6, 17.5 prior to 17.5.4, and 17.6 prior to 17.6.2. On self hosted installs, it was possible to leak the anti-CSRF-token to an external site while the Harbor integration was enabled.
Affected products
10cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*range: 15.2
- (no CPE)range: >=15.2, <=17.4.6 || >=17.5, <17.5.4 || >=17.6, <17.6.2
- osv-coords8 versionspkg:apk/chainguard/gitlab-base-fips-17.6pkg:apk/chainguard/gitlab-cng-fips-17.6pkg:apk/chainguard/gitlab-container-registry-fips-17.6pkg:apk/chainguard/gitlab-elasticsearch-indexer-fips-17.6pkg:apk/chainguard/gitlab-logger-fips-17.6pkg:apk/chainguard/gitlab-shell-fips-17.6pkg:apk/chainguard/gitlab-toolbox-fips-17.6pkg:bitnami/gitlab
< 17.6.5-r0+ 7 more
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: >= 15.2.0, < 17.4.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- hackerone.com/reports/2666341mitretechnical-descriptionexploitpermissions-required
- gitlab.com/gitlab-org/gitlab/-/issues/486051mitreissue-trackingpermissions-required
News mentions
1- GitLab Patch Release: 17.6.2, 17.5.4, 17.4.6GitLab Security Releases · Dec 11, 2024