Rewterz Threat Alert – Multiple GitLab Community Edition and Enterprise Edition Vulnerabilities

Severity

Medium

Analysis Summary

CVE-2024-0456 CVSS:4.3

GitLab Community Edition and Enterprise Edition could allow a remote authenticated attacker to bypass security restrictions, caused by an authorization vulnerability. By sending a specially crafted request, an attacker could exploit this vulnerability to assign arbitrary users to MRs that they created within the project.

CVE-2023-5612 CVSS:5.3

GitLab Community Edition and Enterprise Edition could allow a remote attacker to obtain sensitive information. A remote attacker could exploit this vulnerability to read the user email address via tags feed.

CVE-2023-5933 CVSS:6.4

GitLab Community Edition and Enterprise Edition could allow a remote authenticated attacker to bypass security restrictions, caused by improper input sanitization of user name. By sending a specially crafted request, an attacker could exploit this vulnerability to perform arbitrary API PUT requests.

CVE-2023-6159 CVSS:6.5

GitLab Community Edition and Enterprise Edition is vulnerable to a denial of service, caused by a ReDoS in Cargo.toml blob viewer. By sending a specially crafted input, a remote authenticated attacker could exploit this vulnerability to cause a denial of service.

Impact

• Denial of Service
• Security Bypass
• Information Disclosure

Indicators Of Compromise

CVE

• CVE-2024-0456
• CVE-2023-5612
• CVS-2023-5933
• CVE-2023-6159

Affected Vendors

GitLab

Affected Products

• GitLab Enterprise Edition 16.8.0
• GitLab Enterprise Edition 16.7.3
• GitLab Enterprise Edition 16.6.5
• GitLab Enterprise Edition 16.5.7
• GitLab Community Edition 16.5.7
• GitLab Community Edition 16.6.5
• GitLab Community Edition 16.7.3
• GitLab Community Edition 16.8.0

Remediation

Refer to GitLab Website for patch, upgrade or suggested workaround information.

GitLab Website