CVE-2024-13041

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-13041
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. When a user is created via the SAML provider, the external groups setting overrides the external provider configuration. As a result, the user may not be marked as external thereby giving those users access to internal projects or groups.

4.2 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://about.gitlab.com/releases/2025/01/08/patch-release-gitlab-17-7-1-released/#instance-saml-does-not-respect-external_provider-configuration Release Notes Vendor Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/479165 Exploit Issue Tracking
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
History

05 Aug 2025, 15:12

Type Values Removed Values Added
References () https://about.gitlab.com/releases/2025/01/08/patch-release-gitlab-17-7-1-released/#instance-saml-does-not-respect-external_provider-configuration - () https://about.gitlab.com/releases/2025/01/08/patch-release-gitlab-17-7-1-released/#instance-saml-does-not-respect-external_provider-configuration - Release Notes, Vendor Advisory
References () https://gitlab.com/gitlab-org/gitlab/-/issues/479165 - () https://gitlab.com/gitlab-org/gitlab/-/issues/479165 - Exploit, Issue Tracking
First Time Gitlab
Gitlab gitlab
CPE cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
Summary
  • (es) Se descubrió un problema en GitLab CE/EE que afecta a todas las versiones desde la 16.4 hasta la 17.5.5, desde la 17.6 hasta la 17.6.3 y desde la 17.7 hasta la 17.7.1. Cuando se crea un usuario a través del proveedor SAML, la configuración de grupos externos anula la configuración del proveedor externo. Como resultado, es posible que el usuario no se marque como externo, lo que le otorga acceso a proyectos o grupos internos.

09 Jan 2025, 07:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-01-09 07:15

Updated : 2025-08-05 15:12

NVD link : CVE-2024-13041

Mitre link : CVE-2024-13041

CVE.ORG link : CVE-2024-13041

JSON object : View

Products Affected

gitlab

  • gitlab
CWE
CWE-286

Incorrect User Management