CVE-2024-2177

MEDIUM

GitLab 16.3-16.11.5, 17.0-17.0.3, 17.1-17.1.1 - Cross Window Forgery via OAuth Authentication Flow

Title source: llm
STIX 2.1

Description

A Cross Window Forgery vulnerability exists within GitLab CE/EE affecting all versions from 16.3 prior to 16.11.5, 17.0 prior to 17.0.3, and 17.1 prior to 17.1.1. This condition allows for an attacker to abuse the OAuth authentication flow via a crafted payload.

References (2)

Core 2
Core References
Exploit, Issue Tracking issue-tracking permissions-required
https://gitlab.com/gitlab-org/gitlab/-/issues/444467
Permissions Required technical-description exploit permissions-required
https://hackerone.com/reports/2383443

Scores

CVSS v3 6.8
EPSS 0.0061
EPSS Percentile 44.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-1021
Status published
Products (2)
gitlab/gitlab 17.1.0 (2 CPE variants)
gitlab/gitlab 16.3.0 - 16.11.5 (2 CPE variants)
Published Jul 09, 2024
Tracked Since Feb 18, 2026