CVE-2024-0456
4.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
An authorization vulnerability exists in GitLab versions 14.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. An unauthorized attacker is able to assign arbitrary users to MRs that they created within the project
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| GitLab | GitLab | 14.0 < 16.6.6 | affected |
| GitLab | GitLab | 16.7 < 16.7.4 | affected |
| GitLab | GitLab | 16.8 < 16.8.1 | affected |
Weaknesses
- CWE-425: CWE-425: Direct Request ('Forced Browsing')
ADP Enrichment
CVE Program Container
Additional References
- https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released/
- https://gitlab.com/gitlab-org/gitlab/-/issues/430726
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released/
- https://gitlab.com/gitlab-org/gitlab/-/issues/430726
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.