CVE-2024-6356: Incorrect User Management in GitLab
First published: Wed Feb 05 2025(Updated: )
An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, which allowed cross project access for Security policy bot.
Credit: cve@gitlab.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GitLab Enterprise Edition | >=16.0<17.0.6>=17.1<17.1.4>=17.2<17.2.2 |
Remedy
Upgrade to versions 17.2.2, 17.1.4, 17.0.6 or above.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-6356?
CVE-2024-6356 has a medium severity due to its potential for unauthorized access across projects.
How can I fix CVE-2024-6356?
To resolve CVE-2024-6356, upgrade GitLab EE to version 17.0.6 or later, 17.1.4 or later, or 17.2.2 or later.
What versions of GitLab EE are affected by CVE-2024-6356?
CVE-2024-6356 affects all GitLab EE versions starting from 16.0 up to but not including 17.0.6, starting from 17.1 up to but not including 17.1.4, and starting from 17.2 up to but not including 17.2.2.
What type of vulnerability is CVE-2024-6356?
CVE-2024-6356 is a security vulnerability that allows cross project access for the Security policy bot.
Is there a workaround for CVE-2024-6356?
No specific workaround is recommended for CVE-2024-6356, and updating to the patched versions is the best solution.
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/title
- agent/references
- agent/remedy
- agent/type
- agent/first-publish-date
- agent/description
- agent/guess-ai
- agent/software-canonical-lookup
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/author
- agent/source
- agent/severity
- agent/tags
- agent/event
- vendor/gitlab
- canonical/gitlab enterprise edition