CVE-2024-8647

MEDIUM severity · CVSS 5.4 · Path traversal

5.4CVSS MEDIUM

Summary

An issue was discovered in GitLab affecting all versions starting 15.2 to 17.4.6, 17.5 prior to 17.5.4, and 17.6 prior to 17.6.2. On self hosted installs, it was possible to leak the anti-CSRF-token to an external site while the Harbor integration was enabled.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredLow

User interactionRequired

Confidentiality impactLow

Integrity impactLow

Availability impactNone

Exploit probability (EPSS)0%

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Affected products we track (1)

GitLab

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information

NVD record
https://gitlab.com/gitlab-org/gitlab/-/issues/486051Advisory
https://hackerone.com/reports/2666341