Home

Description

A business logic error in GitLab CE/EE affecting all versions starting from 12.1 prior to 17.10.7, 17.11 prior to 17.11.3 and 18.0 prior to 18.0.1 where an attacker can cause a branch name confusion in confidential MRs.

PUBLISHED Reserved 2024-09-24 | Published 2025-05-23 | Updated 2025-05-27 | Assigner GitLab




LOW: 3.5CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Problem types

CWE-451: User Interface (UI) Misrepresentation of Critical Information

Product status

Default status
unaffected

12.1 (semver) before 17.10.7
affected

17.11 (semver) before 17.11.3
affected

18.0 (semver) before 18.0.1
affected

Credits

Thanks [foxribeye](https://hackerone.com/foxribeye) for reporting this vulnerability through our HackerOne bug bounty program finder

References

gitlab.com/gitlab-org/gitlab/-/issues/493942 (GitLab Issue #493942) issue-tracking permissions-required

hackerone.com/reports/2705566 (HackerOne Bug Bounty Report #2705566) technical-description exploit permissions-required

cve.org (CVE-2024-9163)

nvd.nist.gov (CVE-2024-9163)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.