Analysis Summary

CVE-2024-3958 CVSS:5.3

GitLab Community Edition and Enterprise Edition could allow a remote authenticated attacker to bypass security restrictions. By sending a specially crafted request, an attacker could exploit this vulnerability to abuse a discrepancy between the Web application display.

CVE-2024-4784 CVSS:4.2

GitLab Community Edition and Enterprise Edition could allow a remote authenticated attacker to bypass security restrictions. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass the password re-entry requirement to approve a policy.

CVE-2024-2800 CVSS:6.5

GitLab Community Edition and Enterprise Edition is vulnerable to a denial of service, caused by a ReDoS flaw in RefMatcher when matching branch names using wildcards. A remote authenticated attacker could exploit this vulnerability to cause a denial of service.

CVE-2024-6329 CVSS:5.7

GitLab Community Edition and Enterprise Edition could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw in Path encoding. By sending a specially crafted request, an attacker could exploit this vulnerability to cause the Web interface to not render diffs correctly.

CVE-2024-3114 CVSS:4.3

GitLab Community Edition and Enterprise Edition is vulnerable to a denial of service, caused by a ReDoS when parsing git push. A remote authenticated attacker could exploit this vulnerability to cause a denial of service.

CVE-2024-5423 CVSS:6.5

GitLab Community Edition and Enterprise Edition is vulnerable to a denial of service. By using banzai pipeline, a remote authenticated attacker could exploit this vulnerability to cause resource exhaustion.

CVE-2024-3035 CVSS:6.8

GitLab Community Edition and Enterprise Edition could allow a remote authenticated attacker to gain elevated privileges on the system, caused by a permission check vulnerability, By sending a specially crafted request, an attacker could exploit this vulnerability to read and write to the user owned repositories.

CVE-2024-0231 CVSS:2.7

GitLab Community and Enterprise Edition could allow a remote authenticated attacker to bypass security restrictions, caused by a resource misdirection flaw. By sending a specially crafted repository import request, an attacker could exploit this vulnerability to bypass tag check and branch check.

CVE-2024-7057 CVSS:4.3

GitLab Community and Enterprise Edition could allow a remote authenticated attacker to obtain sensitive information, caused by improper authorization validation. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain job artifacts information, and use this information to launch further attacks against the affected system.

CVE-2024-5067 CVSS:4.4

GitLab Community and Enterprise Edition could allow a remote authenticated attacker to obtain sensitive information, caused by improper authorization validation. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain project-level analytics settings information, and use this information to launch further attacks against the affected system.

Impact

• Security Bypass
• Denial of Service
• Privilege Escalation
• Information Disclosure
• Cross-Site Scripting

Indicators of Compromise

CVE

• CVE-2024-3958
• CVE-2024-4784
• CVE-2024-2800
• CVE-2024-6329
• CVE-2024-3114
• CVE-2024-5423
• CVE-2024-3035
• CVE-2024-0231
• CVE-2024-7057
• CVE-2024-5067

Affected Vendors

Remediation

Upgrade to the latest version of GitLab Community Edition and Enterprise Edition, available from the GitLab Website.

CVE-2024-3958

CVE-2024-4784

CVE-2024-2800

CVE-2024-6329

CVE-2024-3114

CVE-2024-5423

CVE-2024-3035

CVE-2024-0231

CVE-2024-7057

CVE-2024-5067