OpenCVE

An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows deploy keys to push to an archived repository.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Gitlab	Gitlab

Configuration 1 [-]

OR	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*

No data.

References

Link	Providers
https://gitlab.com/gitlab-org/gitlab/-/issues/459995

History

Wed, 16 Oct 2024 17:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:gitlab:gitlab:::::community:::* cpe:2.3:a:gitlab:gitlab:::::enterprise:::*

Thu, 10 Oct 2024 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 10 Oct 2024 09:45:00 +0000

Type	Values Removed	Values Added
Description		An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows deploy keys to push to an archived repository.
Title		Incorrect Authorization in GitLab
First Time appeared		Gitlab Gitlab gitlab
Weaknesses		CWE-863
CPEs		cpe:2.3:a:gitlab:gitlab::::::::
Vendors & Products		Gitlab Gitlab gitlab
References		https://gitlab.com/gitlab-org/gitlab/-/issues/459995
Metrics		cvssV3_1 `{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitLab

Published: 2024-10-10T09:30:38.315Z

Updated: 2024-10-10T12:52:37.951Z

Reserved: 2024-10-08T09:02:14.486Z

Link: CVE-2024-9623

Vulnrichment

Updated: 2024-10-10T12:52:34.593Z

NVD

Status : Analyzed

Published: 2024-10-10T10:15:08.770

Modified: 2024-10-16T16:59:36.817

Link: CVE-2024-9623

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-9623", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "state": "PUBLISHED", "assignerShortName": "GitLab", "dateReserved": "2024-10-08T09:02:14.486Z", "datePublished": "2024-10-10T09:30:38.315Z", "dateUpdated": "2024-10-10T12:52:37.951Z"}, "containers": {"cna": {"title": "Incorrect Authorization in GitLab", "descriptions": [{"lang": "en", "value": "An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows deploy keys to push to an archived repository."}], "affected": [{"vendor": "GitLab", "product": "GitLab", "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", "cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "versions": [{"version": "8.16", "status": "affected", "lessThan": "17.2.9", "versionType": "semver"}, {"version": "17.3", "status": "affected", "lessThan": "17.3.5", "versionType": "semver"}, {"version": "17.4", "status": "affected", "lessThan": "17.4.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-863: Incorrect Authorization", "cweId": "CWE-863", "type": "CWE"}]}], "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/459995", "name": "GitLab Issue #459995", "tags": ["issue-tracking", "permissions-required"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM"}}], "solutions": [{"lang": "en", "value": "Upgrade to versions 17.2.9, 17.3.5, 17.4.2 or above."}], "credits": [{"lang": "en", "value": "This vulnerability has been discovered by [@stevenorman](https://gitlab.com/stevenorman)", "type": "finder"}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2024-10-10T09:30:38.315Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-10T12:52:29.418044Z", "id": "CVE-2024-9623", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-10T12:52:37.951Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-9623", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-10T12:52:29.418044Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-10T12:52:34.593Z"}}], "cna": {"title": "Incorrect Authorization in GitLab", "credits": [{"lang": "en", "type": "finder", "value": "This vulnerability has been discovered by [@stevenorman](https://gitlab.com/stevenorman)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", "vendor": "GitLab", "product": "GitLab", "versions": [{"status": "affected", "version": "8.16", "lessThan": "17.2.9", "versionType": "semver"}, {"status": "affected", "version": "17.3", "lessThan": "17.3.5", "versionType": "semver"}, {"status": "affected", "version": "17.4", "lessThan": "17.4.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to versions 17.2.9, 17.3.5, 17.4.2 or above."}], "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/459995", "name": "GitLab Issue #459995", "tags": ["issue-tracking", "permissions-required"]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows deploy keys to push to an archived repository."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2024-10-10T09:30:38.315Z"}}}, "cveMetadata": {"cveId": "CVE-2024-9623", "state": "PUBLISHED", "dateUpdated": "2024-10-10T12:52:37.951Z", "dateReserved": "2024-10-08T09:02:14.486Z", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "datePublished": "2024-10-10T09:30:38.315Z", "assignerShortName": "GitLab"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "15F65C4A-4615-4781-BCA0-398A945E97B6", "versionEndExcluding": "17.2.9", "versionStartIncluding": "8.16.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "1B30FF3D-4A27-4426-935B-6752663943A7", "versionEndExcluding": "17.2.9", "versionStartIncluding": "8.16.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "EE7140D0-5D8A-4EDA-91AF-5F14BC4F6307", "versionEndExcluding": "17.3.5", "versionStartIncluding": "17.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "9A005AE5-1C1A-4515-9695-A502092BB75A", "versionEndExcluding": "17.3.5", "versionStartIncluding": "17.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "7132410B-A160-4C18-8BB6-E53C6A0F35D7", "versionEndExcluding": "17.4.2", "versionStartIncluding": "17.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "08991976-707A-4A7B-863D-766928E74FF7", "versionEndExcluding": "17.4.2", "versionStartIncluding": "17.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows deploy keys to push to an archived repository."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en GitLab CE/EE que afecta a todas las versiones desde la 8.16 anterior a la 17.2.9, desde la 17.3 anterior a la 17.3.5 y desde la 17.4 anterior a la 17.4.2, que permite que las claves de implementaci\u00f3n se env\u00eden a un repositorio archivado."}], "id": "CVE-2024-9623", "lastModified": "2024-10-16T16:59:36.817", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "cve@gitlab.com", "type": "Secondary"}]}, "published": "2024-10-10T10:15:08.770", "references": [{"source": "cve@gitlab.com", "tags": ["Broken Link"], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/459995"}], "sourceIdentifier": "cve@gitlab.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "cve@gitlab.com", "type": "Secondary"}]}