CVE-2024-7047 - OpenCVE

A cross site scripting vulnerability exists in GitLab CE/EE affecting all versions from 16.6 prior to 17.0.5, 17.1 prior to 17.1.3, 17.2 prior to 17.2.1 allowing an attacker to execute arbitrary scripts under the context of the current logged in user.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Gitlab	Gitlab

Configuration 1 [-]

OR	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:7.2.0::::community:::
	cpe:2.3:a:gitlab:gitlab:7.2.0::::enterprise:::

No data.

References

Link	Providers
https://gitlab.com/gitlab-org/gitlab/-/issues/455318

History

Thu, 29 Aug 2024 15:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:gitlab:gitlab::::::::

Mon, 26 Aug 2024 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Gitlab Gitlab gitlab
CPEs		cpe:2.3:a:gitlab:gitlab:::::community:::* cpe:2.3:a:gitlab:gitlab:::::enterprise:::* cpe:2.3:a:gitlab:gitlab:7.2.0::::community::: cpe:2.3:a:gitlab:gitlab:7.2.0::::enterprise:::
Vendors & Products		Gitlab Gitlab gitlab

MITRE

Status: PUBLISHED

Assigner: GitLab

Published: 2024-07-25T00:30:40.657Z

Updated: 2024-08-29T15:05:00.689Z

Reserved: 2024-07-23T19:02:09.094Z

Link: CVE-2024-7047

Vulnrichment

Updated: 2024-08-01T21:45:38.425Z

NVD

Status : Analyzed

Published: 2024-07-25T01:15:09.830

Modified: 2024-08-26T16:07:27.837

Link: CVE-2024-7047

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-7047", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "state": "PUBLISHED", "assignerShortName": "GitLab", "dateReserved": "2024-07-23T19:02:09.094Z", "datePublished": "2024-07-25T00:30:40.657Z", "dateUpdated": "2024-08-29T15:05:00.689Z"}, "containers": {"cna": {"affected": [{"cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "product": "GitLab", "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", "vendor": "GitLab", "versions": [{"lessThan": "17.0.5", "status": "affected", "version": "16.6", "versionType": "semver"}, {"lessThan": "17.1.3", "status": "affected", "version": "17.1", "versionType": "semver"}, {"lessThan": "17.2.1", "status": "affected", "version": "17.2", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "This vulnerability has been discovered internally by GitLab team member [Joern Schneeweisz](https://gitlab.com/joernchen)."}], "descriptions": [{"lang": "en", "value": "A cross site scripting vulnerability exists in GitLab CE/EE affecting all versions from 16.6 prior to 17.0.5, 17.1 prior to 17.1.3, 17.2 prior to 17.2.1 allowing an attacker to execute arbitrary scripts under the context of the current logged in user."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2024-08-29T15:05:00.689Z"}, "references": [{"name": "GitLab Issue #455318", "tags": ["issue-tracking", "permissions-required"], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/455318"}], "solutions": [{"lang": "en", "value": "Upgrade to versions 17.0.5, 17.1.3, 17.2.1 or above."}], "title": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab"}, "adp": [{"affected": [{"vendor": "gitlab", "product": "gitlab", "cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "16.6", "status": "affected", "lessThan": "17.0.5", "versionType": "semver"}, {"version": "17.1", "status": "affected", "lessThan": "17.1.3", "versionType": "semver"}, {"version": "17.2", "status": "affected", "lessThan": "17.2.1", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-26T19:21:10.790408Z", "id": "CVE-2024-7047", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-26T19:21:17.148Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:45:38.425Z"}, "title": "CVE Program Container", "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/455318", "name": "GitLab Issue #455318", "tags": ["issue-tracking", "permissions-required", "x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/455318", "name": "GitLab Issue #455318", "tags": ["issue-tracking", "permissions-required", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:45:38.425Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-7047", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-26T19:21:10.790408Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "vendor": "gitlab", "product": "gitlab", "versions": [{"status": "affected", "version": "16.6", "lessThan": "17.0.5", "versionType": "semver"}, {"status": "affected", "version": "17.1", "lessThan": "17.1.3", "versionType": "semver"}, {"status": "affected", "version": "17.2", "lessThan": "17.2.1", "versionType": "semver"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-25T13:53:57.659Z"}}], "cna": {"title": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab", "credits": [{"lang": "en", "type": "finder", "value": "This vulnerability has been discovered internally by GitLab team member [Joern Schneeweisz](https://gitlab.com/joernchen)."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", "vendor": "GitLab", "product": "GitLab", "versions": [{"status": "affected", "version": "16.6", "lessThan": "17.0.5", "versionType": "semver"}, {"status": "affected", "version": "17.1", "lessThan": "17.1.3", "versionType": "semver"}, {"status": "affected", "version": "17.2", "lessThan": "17.2.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to versions 17.0.5, 17.1.3, 17.2.1 or above."}], "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/455318", "name": "GitLab Issue #455318", "tags": ["issue-tracking", "permissions-required"]}], "descriptions": [{"lang": "en", "value": "A cross site scripting vulnerability exists in GitLab CE/EE affecting all versions from 16.6 prior to 17.0.5, 17.1 prior to 17.1.3, 17.2 prior to 17.2.1 allowing an attacker to execute arbitrary scripts under the context of the current logged in user."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2024-08-29T15:05:00.689Z"}}}, "cveMetadata": {"cveId": "CVE-2024-7047", "state": "PUBLISHED", "dateUpdated": "2024-08-29T15:05:00.689Z", "dateReserved": "2024-07-23T19:02:09.094Z", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "datePublished": "2024-07-25T00:30:40.657Z", "assignerShortName": "GitLab"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "0745E87F-1991-423E-A7C7-2874AEBFD622", "versionEndExcluding": "17.0.5", "versionStartIncluding": "16.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "E1F94D0B-5295-43EC-A3D7-283AB66AB6CC", "versionEndExcluding": "17.0.5", "versionStartIncluding": "16.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "E68B5BB3-0D86-4D3C-98A2-5717B267C2E3", "versionEndExcluding": "17.1.3", "versionStartIncluding": "17.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "D50D43C6-72E7-4FE7-91E3-87ED5A2934A3", "versionEndExcluding": "17.1.3", "versionStartIncluding": "17.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:7.2.0:*:*:*:community:*:*:*", "matchCriteriaId": "A6CDEF18-F9B8-428A-AAE4-13D571E5E9F7", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:7.2.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "687E9E4C-B2DD-48EE-A079-02638D40CBEF", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A cross site scripting vulnerability exists in GitLab CE/EE affecting all versions from 16.6 prior to 17.0.5, 17.1 prior to 17.1.3, 17.2 prior to 17.2.1 allowing an attacker to execute arbitrary scripts under the context of the current logged in user."}, {"lang": "es", "value": "Existe una vulnerabilidad de Cross Site Scripting en GitLab CE/EE que afecta a todas las versiones desde 16.6 anterior a 17.0.5, 17.1 anterior a 17.1.3, 17.2 anterior a 17.2.1, lo que permite a un atacante ejecutar scripts arbitrarios en el contexto del usuario con sesi\u00f3n iniciada actual."}], "id": "CVE-2024-7047", "lastModified": "2024-08-26T16:07:27.837", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.8, "source": "cve@gitlab.com", "type": "Secondary"}]}, "published": "2024-07-25T01:15:09.830", "references": [{"source": "cve@gitlab.com", "tags": ["Broken Link"], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/455318"}], "sourceIdentifier": "cve@gitlab.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "cve@gitlab.com", "type": "Secondary"}]}