Home

Description

A Cross Window Forgery vulnerability exists within GitLab CE/EE affecting all versions from 16.3 prior to 16.11.5, 17.0 prior to 17.0.3, and 17.1 prior to 17.1.1. This condition allows for an attacker to abuse the OAuth authentication flow via a crafted payload.

PUBLISHED Reserved 2024-03-04 | Published 2024-07-09 | Updated 2024-09-17 | Assigner GitLab




MEDIUM: 6.8CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Problem types

CWE-1021: Improper Restriction of Rendered UI Layers or Frames

Product status

Default status
unaffected

16.3 before 16.11.5
affected

17.0 before 17.0.3
affected

17.1 before 17.1.1
affected

Credits

Thanks [joaxcar](https://hackerone.com/joaxcar) for reporting this vulnerability through our HackerOne bug bounty program finder

References

gitlab.com/gitlab-org/gitlab/-/issues/444467 (GitLab Issue #444467) issue-tracking permissions-required

hackerone.com/reports/2383443 (HackerOne Bug Bounty Report #2383443) technical-description exploit permissions-required

cve.org (CVE-2024-2177)

nvd.nist.gov (CVE-2024-2177)

Download JSON