R00TK1T’s Digital Onslaught: Unleashing Chaos on Pakistan
May 1, 2024ANONYMOUS Group Initiates DDoS Attacks on Saudi Arabian Websites
May 1, 2024R00TK1T’s Digital Onslaught: Unleashing Chaos on Pakistan
May 1, 2024ANONYMOUS Group Initiates DDoS Attacks on Saudi Arabian Websites
May 1, 2024Severity
Medium
Analysis Summary
CVE-2024-4006 CVSS:4.3
GitLab Community Edition (CE) and Enterprise Edition (EE) could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw in Personal Access Token scopes. By sending a specially crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVE-2024-4024 CVSS:7.3
GitLab Community Edition (CE) and Enterprise Edition (EE) could allow a remote authenticated attacker to gain elevated privileges on the system. By using Bitbucket as an OAuth provider, an attacker could exploit this vulnerability to perform account takeover.
Impact
- Privilege Escalation
- Information Disclosure
Indicators of Compromise
CVE
- CVE-2024-4006
- CVE-2024-4024
Affected Vendors
Affected Products
- GitLab Community Edition 16.11.0
- GitLab Community Edition 16.10.3
- GitLab Community Edition 16.9.5
- GitLab Enterprise Edition 16.9.5
- GitLab Enterprise Edition 16.10.3
- GitLab Enterprise Edition 16.11.0
Remediation
Refer to GitLab Website for patch, upgrade, or suggested workaround information.