CVE-2024-4660 — Missing Authorization in GitLab

Description

An issue has been discovered in GitLab EE affecting all versions starting from 11.2 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2. It was possible for a guest to read the source code of a private project by using group templates.

How to fix CVE-2024-4660

To remediate CVE-2024-4660, upgrade the affected package to a fixed version below.

—upgrade to 17.1.7 or later

Is CVE-2024-4660 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 11.2.0, < 17.1.7, >= 17.2.0, < 17.2.5, >= 17.3.0, < 17.3.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (4)

WEBabout.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/
WEBgitlab.com/gitlab-org/gitlab/-/issues/460892
WEBhackerone.com/reports/2480126
WEBnvd.nist.gov/vuln/detail/CVE-2024-4660