Home

Description

An issue has been discovered in GitLab affecting all versions starting from 17.1 to 17.1.7, 17.2 prior to 17.2.5 and 17.3 prior to 17.3.2. A crafted URL could be used to trick a victim to trust an attacker controlled application.

PUBLISHED Reserved 2024-07-02 | Published 2024-09-12 | Updated 2024-09-13 | Assigner GitLab




LOW: 3.5CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Problem types

CWE-840: Business Logic Errors

Product status

Default status
unaffected

17.1 (semver) before 17.1.7
affected

17.2 (semver) before 17.2.5
affected

17.3 (semver) before 17.3.2
affected

Credits

Thanks [joaxcar](https://hackerone.com/joaxcar) for reporting this vulnerability through our HackerOne bug bounty program finder

References

about.gitlab.com/...11/patch-release-gitlab-17-3-2-released/

gitlab.com/gitlab-org/gitlab/-/issues/470144 (GitLab Issue #470144) issue-tracking permissions-required

hackerone.com/reports/2573481 (HackerOne Bug Bounty Report #2573481) technical-description exploit permissions-required

cve.org (CVE-2024-6446)

nvd.nist.gov (CVE-2024-6446)

Download JSON