An issue has been discovered in GitLab EE/CE affecting all versions from 16.9.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2. An improper input validation error allows attacker to squat on accounts via linking arbitrary unclaimed provider identities when JWT authentication is configured.
History

Sat, 14 Sep 2024 16:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Thu, 12 Sep 2024 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 12 Sep 2024 17:15:00 +0000

Type Values Removed Values Added
Description An issue has been discovered in GitLab EE/CE affecting all versions from 16.9.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2. An improper input validation error allows attacker to squat on accounts via linking arbitrary unclaimed provider identities when JWT authentication is configured.
Title External Control of Critical State Data in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-642
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published: 2024-09-12T17:02:00.988Z

Updated: 2024-09-17T19:36:51.833Z

Reserved: 2024-09-12T14:01:59.989Z

Link: CVE-2024-8754

cve-icon Vulnrichment

Updated: 2024-09-12T17:19:57.754Z

cve-icon NVD

Status : Analyzed

Published: 2024-09-12T17:15:06.917

Modified: 2024-09-14T15:40:20.583

Link: CVE-2024-8754

cve-icon Redhat

No data.