Severity
Medium
Analysis Summary
CVE-2024-3958 CVSS:5.3
GitLab Community Edition and Enterprise Edition could allow a remote authenticated attacker to bypass security restrictions. By sending a specially crafted request, an attacker could exploit this vulnerability to abuse a discrepancy between the Web application display.
CVE-2024-4784 CVSS:4.2
GitLab Community Edition and Enterprise Edition could allow a remote authenticated attacker to bypass security restrictions. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass the password re-entry requirement to approve a policy.
CVE-2024-2800 CVSS:6.5
GitLab Community Edition and Enterprise Edition is vulnerable to a denial of service, caused by a ReDoS flaw in RefMatcher when matching branch names using wildcards. A remote authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-6329 CVSS:5.7
GitLab Community Edition and Enterprise Edition could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw in Path encoding. By sending a specially crafted request, an attacker could exploit this vulnerability to cause the Web interface to not render diffs correctly.
CVE-2024-3114 CVSS:4.3
GitLab Community Edition and Enterprise Edition is vulnerable to a denial of service, caused by a ReDoS when parsing git push. A remote authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-5423 CVSS:6.5
GitLab Community Edition and Enterprise Edition is vulnerable to a denial of service. By using banzai pipeline, a remote authenticated attacker could exploit this vulnerability to cause resource exhaustion.
CVE-2024-3035 CVSS:6.8
GitLab Community Edition and Enterprise Edition could allow a remote authenticated attacker to gain elevated privileges on the system, caused by a permission check vulnerability, By sending a specially crafted request, an attacker could exploit this vulnerability to read and write to the user owned repositories.
CVE-2024-0231 CVSS:2.7
GitLab Community and Enterprise Edition could allow a remote authenticated attacker to bypass security restrictions, caused by a resource misdirection flaw. By sending a specially crafted repository import request, an attacker could exploit this vulnerability to bypass tag check and branch check.
CVE-2024-7057 CVSS:4.3
GitLab Community and Enterprise Edition could allow a remote authenticated attacker to obtain sensitive information, caused by improper authorization validation. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain job artifacts information, and use this information to launch further attacks against the affected system.
CVE-2024-5067 CVSS:4.4
GitLab Community and Enterprise Edition could allow a remote authenticated attacker to obtain sensitive information, caused by improper authorization validation. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain project-level analytics settings information, and use this information to launch further attacks against the affected system.
Impact
- Security Bypass
- Denial of Service
- Privilege Escalation
- Information Disclosure
- Cross-Site Scripting
Indicators of Compromise
CVE
- CVE-2024-3958
- CVE-2024-4784
- CVE-2024-2800
- CVE-2024-6329
- CVE-2024-3114
- CVE-2024-5423
- CVE-2024-3035
- CVE-2024-0231
- CVE-2024-7057
- CVE-2024-5067
Affected Vendors
Affected Products
- GitLab Enterprise Edition 17.0.0
- GitLab Enterprise Edition 17.1.0
- GitLab Community Edition 17.1.0
- GitLab Community Edition 17.2.0
- GitLab Enterprise Edition 17.2.0
- GitLab Community Edition and Enterprise Edition
Remediation
Upgrade to the latest version of GitLab Community Edition and Enterprise Edition, available from the GitLab Website.