Vulnerability DatabaseCVE-2024-1539

CVE-2024-1539:
GitLab vulnerability analysis and mitigation

Overview

An issue has been discovered in GitLab Enterprise Edition (EE) affecting all versions starting from 15.2 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. The vulnerability allowed banned group members to access issue updates through the API, potentially exposing sensitive information (GitLab Release).

Technical details

The vulnerability is classified as a medium severity issue with a CVSS score of 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). The issue specifically relates to unauthorized access to issue updates via the API by users who have been banned from groups (GitLab Release).

Impact

The vulnerability allows banned group members to bypass access restrictions and view updates to issues using the API, potentially leading to unauthorized disclosure of information that should be restricted from banned users (GitLab Release).

Mitigation and workarounds

The vulnerability has been fixed in GitLab versions 16.9.7, 16.10.5, and 16.11.2. Organizations are strongly recommended to upgrade to one of these patched versions immediately. GitLab.com is already running the patched version (GitLab Release).

Community reactions

The vulnerability was responsibly disclosed through GitLab's HackerOne bug bounty program by researcher ashishrpadelkar, demonstrating the effectiveness of GitLab's security response program (GitLab Release).