CVE-2024-0456: Direct Request ('Forced Browsing') in GitLab
First published: Fri Jan 26 2024(Updated: )
An authorization vulnerability exists in GitLab versions 14.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. An unauthorized attacker is able to assign arbitrary users to MRs that they created within the project
Credit: cve@gitlab.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GitLab GitLab | >=14.0.0<16.6.6 | |
| GitLab GitLab | >=14.0.0<16.6.6 | |
| GitLab GitLab | >=16.7.0<16.7.4 | |
| GitLab GitLab | >=16.7.0<16.7.4 | |
| GitLab GitLab | =16.8.0 | |
| GitLab GitLab | =16.8.0 |
Remedy
Upgrade to versions 16.8.1, 16.7.4, 16.6.6 or above
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- agent/remedy
- agent/weakness
- agent/title
- agent/references
- agent/type
- agent/description
- agent/first-publish-date
- agent/severity
- agent/author
- agent/event
- agent/tags
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- vendor/gitlab
- canonical/gitlab gitlab
- version/gitlab gitlab/14.0.0
- version/gitlab gitlab/16.7.0
- version/gitlab gitlab/16.8.0