CVE-2024-11274

HIGH

GitLab 16.1-17.4.5, 17.5-17.5.3, 17.6-17.6.1 - Session Data Exfiltration via NEL Header Injection in k8s Proxy Response

Title source: llm
STIX 2.1

Description

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 17.4.6, starting from 17.5 prior to 17.5.4, and starting from 17.6 prior to 17.6.2, injection of NEL headers in k8s proxy response could lead to session data exfiltration.

References (2)

Core 2
Core References
Exploit, Issue Tracking, Vendor Advisory issue-tracking permissions-required
https://gitlab.com/gitlab-org/gitlab/-/issues/504707
Permissions Required technical-description exploit permissions-required
https://hackerone.com/reports/2813673

Scores

CVSS v3 8.7
EPSS 0.0043
EPSS Percentile 62.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-601
Status published
Products (1)
gitlab/gitlab 16.1.0 - 17.4.6 (2 CPE variants)
Published Dec 12, 2024
Tracked Since Feb 18, 2026