CVE-2024-4612

MEDIUM

GitLab 12.9.0-17.1.6, 17.2.0-17.2.4, 17.3.0-17.3.1 - Open Redirect via OAuth Flow

Title source: llm

Description

An issue has been discovered in GitLab EE affecting all versions starting from 12.9 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. Under certain conditions an open redirect vulnerability could allow for an account takeover by breaking the OAuth flow.

References (3)

Core 3

Core References

Broken Link issue-tracking permissions-required

https://gitlab.com/gitlab-org/gitlab/-/issues/460707

Permissions Required technical-description exploit permissions-required

https://hackerone.com/reports/2479857

Release Notes

https://about.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/

Scores

CVSS v3 6.4

EPSS 0.0003

EPSS Percentile 7.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-601

Status published

Products (1)

gitlab/gitlab 12.9.0 - 17.1.7

Published Sep 12, 2024

Tracked Since Feb 18, 2026