Cloud Vulnerability DB
A community-led vulnerabilities database
Wiz Agents & Workflows are here
Vulnerability DatabaseCVE-2024-5005
CVE-2024-5005:
GitLab vulnerability analysis and mitigation
Overview
An issue has been discovered in GitLab Enterprise Edition (EE) and Community Edition (CE) affecting all versions starting from 11.4 before 17.2.9, all versions starting from 17.3 before 17.3.5, and all versions starting from 17.4 before 17.4.2. The vulnerability allows guest users to disclose project templates using the API, which should not be accessible to users with guest-level permissions (GitLab Release, CVE Mitre).
Technical details
The vulnerability is classified as a medium severity issue with a CVSS score of 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). The issue specifically relates to the REST API endpoints that handle project templates, where the access control mechanisms failed to properly restrict guest users from accessing template content. This vulnerability affects the template management functionality in GitLab, particularly concerning merge request templates and other project-level templates (GitLab Release).
Impact
The vulnerability allows guest users to access and disclose project templates that should be restricted. This is particularly concerning for private projects where guests should not have access to source code or sensitive template content. While guests might need access to certain templates like issue templates for legitimate purposes, the vulnerability provides unauthorized access to other types of templates, including merge request templates (GitLab Issue).
Mitigation and workarounds
The vulnerability has been fixed in GitLab versions 17.2.9, 17.3.5, and 17.4.2. Organizations running affected versions should upgrade to these patched versions immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take any action (GitLab Release).
Community reactions
The vulnerability was responsibly disclosed through GitLab's HackerOne bug bounty program by researcher js_noob. GitLab has addressed this security issue as part of their regular security release cycle, demonstrating their commitment to maintaining strong security standards (GitLab Release).
Additional resources
Source: This report was generated using AI
Related GitLab vulnerabilities:
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management