CVE-2024-4024: Authentication Bypass by Assumed-Immutable Data in GitLab
First published: Thu Apr 25 2024(Updated: )
An issue has been discovered in GitLab CE/EE affecting all versions starting from 7.8 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. Under certain conditions, an attacker with their Bitbucket account credentials may be able to take over a GitLab account linked to another user's Bitbucket account, if Bitbucket is used as an OAuth 2.0 provider on GitLab.
Credit: cve@gitlab.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GitLab | >=7.8.0<16.9.6 | |
| GitLab | >=7.8.0<16.9.6 | |
| GitLab | >=16.10.0<16.10.4 | |
| GitLab | >=16.10.0<16.10.4 | |
| GitLab | =16.11.0 | |
| GitLab | =16.11.0 |
Remedy
Upgrade to versions 16.9.6, 16.10.4 or 16.11.1 or above
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- agent/remedy
- agent/references
- agent/description
- agent/first-publish-date
- agent/type
- agent/author
- agent/event
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/weakness
- agent/severity
- agent/last-modified-date
- agent/softwarecombine
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/gitlab
- canonical/gitlab
- version/gitlab/7.8.0
- version/gitlab/16.10.0
- version/gitlab/16.11.0