CVE-2024-4006

MEDIUM

GitLab CE/EE <16.9.6/<16.10.4/<16.11.1 - Info Disclosure

Title source: llm
STIX 2.1

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.7 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1 where personal access scopes were not honored by GraphQL subscriptions

References (1)

Core 1
Core References
Exploit, Issue Tracking issue-tracking permissions-required
https://gitlab.com/gitlab-org/gitlab/-/issues/455805

Scores

CVSS v3 4.3
EPSS 0.0008
EPSS Percentile 23.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-863
Status published
Products (5)
gitlab/gitlab 16.11.0 (2 CPE variants)
GitLab/GitLab 16.10 - 16.10.4
GitLab/GitLab 16.11 - 16.11.1
GitLab/GitLab 16.7 - 16.9.6
gitlab/gitlab 16.7.0 - 16.9.6 (2 CPE variants)
Published Apr 25, 2024
Tracked Since Feb 18, 2026