CVE-2024-4557

Multiple Denial of Service (DoS) conditions has been discovered in GitLab CE/EE affecting all versions starting from 1.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1 which allowed an attacker to cause resource exhaustion via banzai pipeline.

CVSS v3.0 6.5 MEDIUM

6.5^/10

CVSS v3.0 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://gitlab.com/gitlab-org/gitlab/-/issues/460517	Broken Link
https://hackerone.com/reports/2485172	Permissions Required

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gitlab:gitlab:17.1.0::::enterprise:::
	cpe:2.3:a:gitlab:gitlab:17.1.0::::community:::
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*

History

28 Jun 2024, 13:19

Type	Values Removed	Values Added
First Time		Gitlab gitlab Gitlab
CWE		CWE-400
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
References	~~() https://gitlab.com/gitlab-org/gitlab/-/issues/460517 -~~	() https://gitlab.com/gitlab-org/gitlab/-/issues/460517 - Broken Link
References	~~() https://hackerone.com/reports/2485172 -~~	() https://hackerone.com/reports/2485172 - Permissions Required
CPE		cpe:2.3:a:gitlab:gitlab:::::enterprise:::* cpe:2.3:a:gitlab:gitlab:17.1.0::::enterprise::: cpe:2.3:a:gitlab:gitlab:17.1.0::::community::: cpe:2.3:a:gitlab:gitlab:::::community:::*

27 Jun 2024, 00:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-06-27 00:15

Updated : 2024-06-28 13:19

NVD link : CVE-2024-4557

Mitre link : CVE-2024-4557

JSON object : View

Products Affected

gitlab

gitlab

CWE

CWE-400

Uncontrolled Resource Consumption

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/460517", "name": "GitLab Issue #460517", "tags": ["Broken Link"], "refsource": ""}, {"url": "https://hackerone.com/reports/2485172", "name": "HackerOne Bug Bounty Report #2485172", "tags": ["Permissions Required"], "refsource": ""}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Multiple Denial of Service (DoS) conditions has been discovered in GitLab CE/EE affecting all versions starting from 1.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1 which allowed an attacker to cause resource exhaustion via banzai pipeline."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-400"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2024-4557", "ASSIGNER": "cve@gitlab.com"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}}, "publishedDate": "2024-06-27T00:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:gitlab:gitlab:17.1.0:*:*:*:enterprise:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gitlab:gitlab:17.1.0:*:*:*:community:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "17.0.3", "versionStartIncluding": "17.0.0"}, {"cpe23Uri": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "17.0.3", "versionStartIncluding": "17.0.0"}, {"cpe23Uri": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "16.11.5", "versionStartIncluding": "1.0.0"}, {"cpe23Uri": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "16.11.5", "versionStartIncluding": "1.0.0"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2024-06-28T13:19Z"}