CVE-2024-10240

An issue has been discovered in GitLab EE affecting all versions starting from 17.3 before 17.3.7, all versions starting from 17.4 before 17.4.4, all versions starting from 17.5 before 17.5.2 in which an unauthenticated user may be able to read some information about an MR in a private project, under certain circumstances.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://about.gitlab.com/releases/2024/11/13/patch-release-gitlab-17-5-2-released/#information-disclosure-through-an-api-endpoint	Vendor Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/493188	Broken Link

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*

History

13 Dec 2024, 01:37

Type	Values Removed	Values Added
First Time		Gitlab gitlab Gitlab
References	~~() https://about.gitlab.com/releases/2024/11/13/patch-release-gitlab-17-5-2-released/#information-disclosure-through-an-api-endpoint -~~	() https://about.gitlab.com/releases/2024/11/13/patch-release-gitlab-17-5-2-released/#information-disclosure-through-an-api-endpoint - Vendor Advisory
References	~~() https://gitlab.com/gitlab-org/gitlab/-/issues/493188 -~~	() https://gitlab.com/gitlab-org/gitlab/-/issues/493188 - Broken Link
CPE		cpe:2.3:a:gitlab:gitlab:::::enterprise:::* cpe:2.3:a:gitlab:gitlab:::::community:::*
CWE		NVD-CWE-noinfo

26 Nov 2024, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-26 20:15

Updated : 2024-12-13 01:37

NVD link : CVE-2024-10240

Mitre link : CVE-2024-10240

CVE.ORG link : CVE-2024-10240

JSON object : View

Products Affected

gitlab

gitlab

CWE

CWE-497

Exposure of Sensitive System Information to an Unauthorized Control Sphere

NVD-CWE-noinfo

{"id": "CVE-2024-10240", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve@gitlab.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2024-11-26T20:15:24.487", "references": [{"url": "https://about.gitlab.com/releases/2024/11/13/patch-release-gitlab-17-5-2-released/#information-disclosure-through-an-api-endpoint", "tags": ["Vendor Advisory"], "source": "cve@gitlab.com"}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/493188", "tags": ["Broken Link"], "source": "cve@gitlab.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "cve@gitlab.com", "description": [{"lang": "en", "value": "CWE-497"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "An issue has been discovered in GitLab EE affecting all versions starting from 17.3 before 17.3.7, all versions starting from 17.4 before 17.4.4, all versions starting from 17.5 before 17.5.2 in which an unauthenticated user may be able to read some information about an MR in a private project, under certain circumstances."}, {"lang": "es", "value": "Se ha descubierto un problema en GitLab EE que afecta a todas las versiones desde la 17.3 hasta la 17.3.7, todas las versiones desde la 17.4 hasta la 17.4.4 y todas las versiones desde la 17.5 hasta la 17.5.2 en el que un usuario no autenticado puede leer informaci\u00f3n sobre un MR en un proyecto privado, bajo determinadas circunstancias."}], "lastModified": "2024-12-13T01:37:16.177", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "74E30536-DC70-4B29-9949-A62CD91CFD30", "versionEndExcluding": "17.3.7", "versionStartIncluding": "17.3.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "29B62E43-F700-4612-8B62-CCE84B94D47A", "versionEndExcluding": "17.3.7", "versionStartIncluding": "17.3.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "1F7F4C7C-334F-4015-AC25-74FCE4BAD311", "versionEndExcluding": "17.4.4", "versionStartIncluding": "17.4.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "7FF0B7C7-E0BD-4C6C-8938-0082CBE64847", "versionEndExcluding": "17.4.4", "versionStartIncluding": "17.4.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "34CDEED3-E7FB-4620-8E07-E4766F9B6593", "versionEndExcluding": "17.5.2", "versionStartIncluding": "17.5.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "DA99FF56-0441-464D-B369-CF72EF9EEDC7", "versionEndExcluding": "17.5.2", "versionStartIncluding": "17.5.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@gitlab.com"}