CVE Vulnerabilities

CVE-2024-0456

Direct Request ('Forced Browsing')

Published: Jan 26, 2024 | Modified: Nov 21, 2024
CVSS 3.x
4.3
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM

An authorization vulnerability exists in GitLab versions 14.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. An unauthorized attacker is able to assign arbitrary users to MRs that they created within the project

Weakness

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

Affected Software

Name Vendor Start Version End Version
Gitlab Gitlab 14.0.0 (including) 16.6.6 (excluding)
Gitlab Gitlab 16.7.0 (including) 16.7.4 (excluding)
Gitlab Gitlab 16.8.0 (including) 16.8.0 (including)
Gitlab Ubuntu esm-apps/xenial *
Gitlab Ubuntu xenial *

Potential Mitigations

References