Severity
Medium
Analysis Summary
CVE-2024-1066 CVSS:6.5
GitLab is vulnerable to a denial of service, caused by improper system resource allocation by the GraphQL vulnerabilitiesCountByDay component. By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-6386 CVSS:6.5
GitLab is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the CI/CD Pipeline Editor. By providing specially crafted regex input, a remote authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-6840 CVSS:6.7
GitLab could allow a remote authentciated attacker to bypass security restrictions, caused by improper enforcement of a group’s scan result policy block_branch_modification setting. By sending a specially crafted request, an attacker could exploit this vulnerability to change the name of a protected branch that bypasses the security policy added to block MR.
CVE-2024-1250 CVSS 6.5
GitLab could allow a remote authenticated attacker to gain elevated privileges on the system, caused by improper management of the manage_group_access_tokens permission. By sending a specially crafted request, an attacker could exploit this vulnerability to gain elevated privileges.
Impact
- Denial of Service
- Security Bypass
- Privilege Escalation
Indicators Of Compromise
CVE
- CVE-2024-21762
Affected Vendors
GitLab
Affected Products
- GitLab 16.8.1 Community Edition
- GitLab 16.8.1 Enterprise Edition
- GitLab 16.7.4 Enterprise Edition
- GitLab 16.6.6 Enterprise Edition
- GitLab 16.6.6 Community Edition
- GitLab 16.7.4 Community Edition
Remediation
Refer to GitLab Website for patch, upgrade or suggested workaround information.