Severity
Medium
Analysis Summary
CVE-2024-4612 CVSS:6.4
GitLab could allow a remote authenticated attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability using a specially crafted URL to redirect a victim to arbitrary Web sites.
CVE-2024-8641 CVSS:6.7
GitLab allow a remote authenticated attacker to gain elevated privileges on the system, caused by privilege context switching error. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain a GitLab session token belonging to the victim.
CVE-2024-8041 CVSS:6.5
GitLab is vulnerable to a denial of service. By importing a specially crafted repository using the GitHub importer, an attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-6502 CVSS:5.7
GitLab Community Edition and Enterprise Edition could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw in GitLab Web Interface. By sending a specially crafted request, an attacker could exploit this vulnerability to create a branch with the same name as a deleted tag.
Impact
- Gain Access
- Privilege Escalation
- Denial of Service
- Security Bypass
Indicators of Compromise
CVE
- CVE-2024-4612
- CVE-2024-8641
- CVE-2024-8041
- CVE-2024-6502
Affected Vendors
Affected Products
- GitLab Community Edition - 17.1.5
- GitLab Community Edition - 17.2.3
- GitLab Enterprise Edition - 17.2.3
- GitLab Enterprise Edition - 17.3.0
- GitLab Enterprise Edition - 17.1.6
- GitLab Enterprise Edition - 17.2.4
- GitLab Enterprise Edition - 17.3.1
- GitLab - 17.1.0
Remediation
Refer to GitLab Web site for patch, upgrade or suggested workaround information.