A vulnerability classified as critical was found in GitLab Community Edition and Enterprise Edition up to 16.9.5/16.10.3/16.11.0. Affected by this vulnerability is some unknown processing of the component Email Address Handler. The manipulation with an unknown input leads to a access control vulnerability. The CWE definition for the vulnerability is CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. As an impact it is known to affect integrity. The summary by CVE is:

An issue has been discovered in GitLab CE/EE affecting all versions before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. Under certain conditions, an attacker through a crafted email address may be able to bypass domain based restrictions on an instance or a group.

The weakness was shared by Gareth Heyes as 441093. The advisory is shared at gitlab.com. This vulnerability is known as CVE-2024-1347 since 02/08/2024. The exploitation appears to be easy. The attack can be launched remotely. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1068 for this issue.

Upgrading to version 16.9.6, 16.10.4 or 16.11.1 eliminates this vulnerability.

The entries VDB-227344, VDB-231155, VDB-232055 and VDB-233518 are related to this item.

Productinfo

Type

• Bug Tracking Software

Vendor

• GitLab

Name

• Community Edition
• Enterprise Edition

Version

• 16.0
• 16.1
• 16.2
• 16.3
• 16.4
• 16.5
• 16.6
• 16.7
• 16.8
• 16.9
• 16.9.0
• 16.9.1
• 16.9.2
• 16.9.3
• 16.9.4
• 16.9.5
• 16.10
• 16.10.0
• 16.10.1
• 16.10.2
• 16.10.3
• 16.11

License

• open-source

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion