github - ghsa-x8pf-46vx-rg97

ghsa-x8pf-46vx-rg97

Vulnerability from github

Published

2024-07-25 03:31

Modified

2024-07-25 03:31

Severity

7.7 (High) - CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

Details

A cross site scripting vulnerability exists in GitLab CE/EE affecting all versions from 16.6 prior to 17.0.5, 17.1 prior to 17.1.3, 17.2 prior to 17.2.1 allowing an attacker to execute arbitrary scripts under the context of the current logged in user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-7047"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-25T01:15:09Z",
    "severity": "HIGH"
  },
  "details": "A cross site scripting vulnerability exists in GitLab CE/EE affecting all versions from 16.6 prior to 17.0.5, 17.1 prior to 17.1.3, 17.2 prior to 17.2.1 allowing an attacker to execute arbitrary scripts under the context of the current logged in user.",
  "id": "GHSA-x8pf-46vx-rg97",
  "modified": "2024-07-25T03:31:42Z",
  "published": "2024-07-25T03:31:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7047"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/455318"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

cve-2024-7047

Vulnerability from cvelistv5

Published

2024-07-25 00:30

Modified

2024-08-29 15:05

Severity

7.7 (High) - cvssV3_1 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

Summary

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab

References

URL	Tags
https://gitlab.com/gitlab-org/gitlab/-/issues/455318	issue-tracking, permissions-required

Impacted products

Vendor	Product
GitLab	GitLab

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "gitlab",
            "vendor": "gitlab",
            "versions": [
              {
                "lessThan": "17.0.5",
                "status": "affected",
                "version": "16.6",
                "versionType": "semver"
              },
              {
                "lessThan": "17.1.3",
                "status": "affected",
                "version": "17.1",
                "versionType": "semver"
              },
              {
                "lessThan": "17.2.1",
                "status": "affected",
                "version": "17.2",
                "versionType": "semver"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-7047",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-26T19:21:10.790408Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-26T19:21:17.148Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T21:45:38.425Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "GitLab Issue #455318",
            "tags": [
              "issue-tracking",
              "permissions-required",
              "x_transferred"
            ],
            "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/455318"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "GitLab",
          "repo": "git://git@gitlab.com:gitlab-org/gitlab.git",
          "vendor": "GitLab",
          "versions": [
            {
              "lessThan": "17.0.5",
              "status": "affected",
              "version": "16.6",
              "versionType": "semver"
            },
            {
              "lessThan": "17.1.3",
              "status": "affected",
              "version": "17.1",
              "versionType": "semver"
            },
            {
              "lessThan": "17.2.1",
              "status": "affected",
              "version": "17.2",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "This vulnerability has been discovered internally by GitLab team member [Joern Schneeweisz](https://gitlab.com/joernchen)."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A cross site scripting vulnerability exists in GitLab CE/EE affecting all versions from 16.6 prior to 17.0.5, 17.1 prior to 17.1.3, 17.2 prior to 17.2.1 allowing an attacker to execute arbitrary scripts under the context of the current logged in user."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-29T15:05:00.689Z",
        "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
        "shortName": "GitLab"
      },
      "references": [
        {
          "name": "GitLab Issue #455318",
          "tags": [
            "issue-tracking",
            "permissions-required"
          ],
          "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/455318"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to versions 17.0.5, 17.1.3, 17.2.1 or above."
        }
      ],
      "title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) in GitLab"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
    "assignerShortName": "GitLab",
    "cveId": "CVE-2024-7047",
    "datePublished": "2024-07-25T00:30:40.657Z",
    "dateReserved": "2024-07-23T19:02:09.094Z",
    "dateUpdated": "2024-08-29T15:05:00.689Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.