CVE-2024-4006

An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.7 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1 where personal access scopes were not honored by GraphQL subscriptions

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://gitlab.com/gitlab-org/gitlab/-/issues/455805	Exploit Issue Tracking
https://gitlab.com/gitlab-org/gitlab/-/issues/455805	Exploit Issue Tracking

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:16.11.0::::community:::
	cpe:2.3:a:gitlab:gitlab:16.11.0::::enterprise:::

History

12 Dec 2024, 17:10

Type	Values Removed	Values Added
References	~~() https://gitlab.com/gitlab-org/gitlab/-/issues/455805 -~~	() https://gitlab.com/gitlab-org/gitlab/-/issues/455805 - Exploit, Issue Tracking
First Time		Gitlab gitlab Gitlab
CPE		cpe:2.3:a:gitlab:gitlab:16.11.0::::enterprise::: cpe:2.3:a:gitlab:gitlab:::::enterprise:::* cpe:2.3:a:gitlab:gitlab:16.11.0::::community::: cpe:2.3:a:gitlab:gitlab:::::community:::*

21 Nov 2024, 09:42

Type	Values Removed	Values Added
References	~~() https://gitlab.com/gitlab-org/gitlab/-/issues/455805 -~~	() https://gitlab.com/gitlab-org/gitlab/-/issues/455805 -
Summary		(es) Se ha descubierto un problema en GitLab CE/EE que afecta a todas las versiones desde 16.7 anteriores a 16.9.6, todas las versiones desde 16.10 anteriores a 16.10.4, todas las versiones desde 16.11 anteriores a 16.11.1 donde las suscripciones a GraphQL no respetaban los alcances de acceso personal.

25 Apr 2024, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-04-25 14:15

Updated : 2024-12-12 17:10

NVD link : CVE-2024-4006

Mitre link : CVE-2024-4006

CVE.ORG link : CVE-2024-4006

JSON object : View

Products Affected

gitlab

gitlab

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2024-4006", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve@gitlab.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2024-04-25T14:15:09.667", "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/455805", "tags": ["Exploit", "Issue Tracking"], "source": "cve@gitlab.com"}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/455805", "tags": ["Exploit", "Issue Tracking"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "cve@gitlab.com", "description": [{"lang": "en", "value": "CWE-863"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.7 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1 where personal access scopes were not honored by GraphQL subscriptions"}, {"lang": "es", "value": "Se ha descubierto un problema en GitLab CE/EE que afecta a todas las versiones desde 16.7 anteriores a 16.9.6, todas las versiones desde 16.10 anteriores a 16.10.4, todas las versiones desde 16.11 anteriores a 16.11.1 donde las suscripciones a GraphQL no respetaban los alcances de acceso personal."}], "lastModified": "2024-12-12T17:10:26.743", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "C4191F1B-8E54-4667-AEA6-B1D779251966", "versionEndExcluding": "16.9.6", "versionStartIncluding": "16.7.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "25926890-C356-467C-9478-33FF423207C7", "versionEndExcluding": "16.9.6", "versionStartIncluding": "16.7.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "A56BDD5E-E19A-4C96-BFA1-0C9C714BC1DF", "versionEndExcluding": "16.10.4", "versionStartIncluding": "16.10.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "4DFA9764-53C9-46A5-904A-109E64CF5942", "versionEndExcluding": "16.10.4", "versionStartIncluding": "16.10.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:16.11.0:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "DBAF6CB8-EEBE-4F61-9B80-165C351748E2"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:16.11.0:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "BEF58721-8679-4EA5-A353-4ED035241169"}], "operator": "OR"}]}], "sourceIdentifier": "cve@gitlab.com"}