CVE-2024-8974

LOW

Gitlab < 17.2.8 - Incorrect Authorization

Title source: rule

Description

Information disclosure in Gitlab EE/CE affecting all versions from 15.6 prior to 17.2.8, 17.3 prior to 17.3.4, and 17.4 prior to 17.4.1 in specific conditions it was possible to disclose to an unauthorised user the path of a private project."

References (1)

[Broken Link] https://gitlab.com/gitlab-org/gitlab/-/issues/482843

Scores

CVSS v3 2.6

EPSS 0.0006

EPSS Percentile 19.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-684 CWE-863

Status published

Products (2)

gitlab/gitlab 17.4.0 (2 CPE variants)

gitlab/gitlab 15.6.0 - 17.2.8 (2 CPE variants)

Published Sep 26, 2024

Tracked Since Feb 18, 2026