Severity
Medium
Analysis Summary
CVE-2024-0456 CVSS:4.3
GitLab Community Edition and Enterprise Edition could allow a remote authenticated attacker to bypass security restrictions, caused by an authorization vulnerability. By sending a specially crafted request, an attacker could exploit this vulnerability to assign arbitrary users to MRs that they created within the project.
CVE-2023-5612 CVSS:5.3
GitLab Community Edition and Enterprise Edition could allow a remote attacker to obtain sensitive information. A remote attacker could exploit this vulnerability to read the user email address via tags feed.
CVE-2023-5933 CVSS:6.4
GitLab Community Edition and Enterprise Edition could allow a remote authenticated attacker to bypass security restrictions, caused by improper input sanitization of user name. By sending a specially crafted request, an attacker could exploit this vulnerability to perform arbitrary API PUT requests.
CVE-2023-6159 CVSS:6.5
GitLab Community Edition and Enterprise Edition is vulnerable to a denial of service, caused by a ReDoS in Cargo.toml blob viewer. By sending a specially crafted input, a remote authenticated attacker could exploit this vulnerability to cause a denial of service.
Impact
- Denial of Service
- Security Bypass
- Information Disclosure
Indicators Of Compromise
CVE
- CVE-2024-0456
- CVE-2023-5612
- CVS-2023-5933
- CVE-2023-6159
Affected Vendors
GitLab
Affected Products
- GitLab Enterprise Edition 16.8.0
- GitLab Enterprise Edition 16.7.3
- GitLab Enterprise Edition 16.6.5
- GitLab Enterprise Edition 16.5.7
- GitLab Community Edition 16.5.7
- GitLab Community Edition 16.6.5
- GitLab Community Edition 16.7.3
- GitLab Community Edition 16.8.0
Remediation
Refer to GitLab Website for patch, upgrade or suggested workaround information.