CVE-2024-0456
Direct Request ('Forced Browsing') in GitLab
4.3
MEDIUM
CVSS 3.1
EPSS 0.16%
Description
An authorization vulnerability exists in GitLab versions 14.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. An unauthorized attacker is able to assign arbitrary users to MRs that they created within the project
How to fix CVE-2024-0456
To remediate CVE-2024-0456, upgrade the affected package to a fixed version below.
- Bitnami/gitlab—upgrade to 16.6.6 or later
Is CVE-2024-0456 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 14.0.0, < 16.6.6, >= 16.7.0, < 16.7.4, >= 16.8.0, < 16.8.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |