CVE-2024-5470

LOW

Gitlab < 17.0.4 - Improper Access Control

Title source: rule

Description

An issue was discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.0.4 and from 17.1 prior to 17.1.2 where a Guest user with `admin_push_rules` permission may have been able to create project-level deploy tokens.

References (2)

[Broken Link] https://gitlab.com/gitlab-org/gitlab/-/issues/464312

[Permissions Required] https://hackerone.com/reports/2521480

Scores

CVSS v3 3.8

EPSS 0.0005

EPSS Percentile 16.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Classification

CWE

CWE-284

Status published

Affected Products (2)

gitlab/gitlab < 17.0.4

Timeline

Published Jul 11, 2024

Tracked Since Feb 18, 2026