{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-8635", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "state": "PUBLISHED", "assignerShortName": "GitLab", "dateReserved": "2024-09-09T22:02:12.310Z", "datePublished": "2024-09-12T17:01:51.084Z", "dateUpdated": "2024-09-13T14:17:39.564Z"}, "containers": {"cna": {"title": "Server-Side Request Forgery (SSRF) in GitLab", "descriptions": [{"lang": "en", "value": "A server-side request forgery issue has been discovered in GitLab EE affecting all versions starting from 16.8 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It was possible for an attacker to make requests to internal resources using a custom Maven Dependency Proxy URL"}], "affected": [{"vendor": "GitLab", "product": "GitLab", "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", "cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "versions": [{"version": "16.8", "status": "affected", "lessThan": "17.1.7", "versionType": "semver"}, {"version": "17.2", "status": "affected", "lessThan": "17.2.5", "versionType": "semver"}, {"version": "17.3", "status": "affected", "lessThan": "17.3.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "cweId": "CWE-918", "type": "CWE"}]}], "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/455273", "name": "GitLab Issue #455273", "tags": ["issue-tracking", "permissions-required"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH"}}], "solutions": [{"lang": "en", "value": "Upgrade to version 17.1.7, 17.2.5 or 17.3.2"}], "credits": [{"lang": "en", "value": "This vulnerability was discovered internally by GitLab team member [joernchen](https://gitlab.com/joernchen)", "type": "finder"}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2024-09-12T17:01:51.084Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-12T17:20:26.116234Z", "id": "CVE-2024-8635", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-12T17:20:47.093Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://about.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-09-13T14:17:39.564Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://about.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-09-13T14:17:39.564Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-8635", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-12T17:20:26.116234Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-12T17:20:36.893Z"}}], "cna": {"title": "Server-Side Request Forgery (SSRF) in GitLab", "credits": [{"lang": "en", "type": "finder", "value": "This vulnerability was discovered internally by GitLab team member [joernchen](https://gitlab.com/joernchen)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", "vendor": "GitLab", "product": "GitLab", "versions": [{"status": "affected", "version": "16.8", "lessThan": "17.1.7", "versionType": "semver"}, {"status": "affected", "version": "17.2", "lessThan": "17.2.5", "versionType": "semver"}, {"status": "affected", "version": "17.3", "lessThan": "17.3.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to version 17.1.7, 17.2.5 or 17.3.2"}], "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/455273", "name": "GitLab Issue #455273", "tags": ["issue-tracking", "permissions-required"]}], "descriptions": [{"lang": "en", "value": "A server-side request forgery issue has been discovered in GitLab EE affecting all versions starting from 16.8 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It was possible for an attacker to make requests to internal resources using a custom Maven Dependency Proxy URL"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2024-09-12T17:01:51.084Z"}}}, "cveMetadata": {"cveId": "CVE-2024-8635", "state": "PUBLISHED", "dateUpdated": "2024-09-13T14:17:39.564Z", "dateReserved": "2024-09-09T22:02:12.310Z", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "datePublished": "2024-09-12T17:01:51.084Z", "assignerShortName": "GitLab"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "D98A3E94-FD1A-4109-8A90-FD19A40CF007", "versionEndExcluding": "17.1.7", "versionStartIncluding": "16.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "FEA9798C-C168-4E92-AD2B-966A9F940A4D", "versionEndExcluding": "17.1.7", "versionStartIncluding": "16.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "9DE9BFF3-C056-4146-A762-E34D60E10EDE", "versionEndExcluding": "17.2.5", "versionStartIncluding": "17.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "1F428DA1-FB1C-4B14-A1E1-65177E7F4B10", "versionEndExcluding": "17.2.5", "versionStartIncluding": "17.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "D2F29B41-64CF-4CEF-8EDF-BBDBA2FFE8C1", "versionEndExcluding": "17.3.2", "versionStartIncluding": "17.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "145E52CC-F503-446E-A760-1C01753DA938", "versionEndExcluding": "17.3.2", "versionStartIncluding": "17.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A server-side request forgery issue has been discovered in GitLab EE affecting all versions starting from 16.8 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It was possible for an attacker to make requests to internal resources using a custom Maven Dependency Proxy URL"}, {"lang": "es", "value": "Se ha descubierto un problema de server-side request forgery en GitLab EE que afecta a todas las versiones a partir de la 16.8 anterior a la 17.1.7, de la 17.2 anterior a la 17.2.5 y de la 17.3 anterior a la 17.3.2. Un atacante pod\u00eda realizar solicitudes a recursos internos mediante una URL de proxy de dependencia de Maven personalizada"}], "id": "CVE-2024-8635", "lastModified": "2024-11-21T09:53:28.537", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "cve@gitlab.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-09-12T17:15:06.437", "references": [{"source": "cve@gitlab.com", "tags": ["Broken Link"], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/455273"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://about.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/"}], "sourceIdentifier": "cve@gitlab.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "cve@gitlab.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-918"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}