CVE-2024-11274: URL Redirection to Untrusted Site ('Open Redirect') in GitLab
First published: Thu Dec 12 2024(Updated: )
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 17.4.6, starting from 17.5 prior to 17.5.4, and starting from 17.6 prior to 17.6.2, injection of NEL headers in k8s proxy response could lead to session data exfiltration.
Credit: cve@gitlab.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GitLab Community Edition | >=16.1<17.4.6>=17.5<17.5.4>=17.6<17.6.2 |
Remedy
Upgrade to versions 17.4.6, 17.5.4, 17.6.2 or above.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-11274?
CVE-2024-11274 is a high severity vulnerability that can lead to session data exfiltration.
How do I fix CVE-2024-11274?
To fix CVE-2024-11274, upgrade GitLab CE/EE to version 17.4.6, 17.5.4, or 17.6.2 or later.
What versions of GitLab are affected by CVE-2024-11274?
CVE-2024-11274 affects GitLab CE/EE versions 16.1 through 17.4.6, 17.5 through 17.5.4, and 17.6 through 17.6.2.
What type of vulnerability is CVE-2024-11274?
CVE-2024-11274 is an injection vulnerability that allows for the exfiltration of session data.
Can CVE-2024-11274 be exploited remotely?
Yes, CVE-2024-11274 can be exploited remotely due to its nature as an injection vulnerability in the k8s proxy response.
- agent/weakness
- agent/remedy
- agent/references
- agent/title
- agent/description
- agent/first-publish-date
- agent/type
- collector/nvd-api
- source/NVD
- agent/author
- agent/severity
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/gitlab
- canonical/gitlab community edition