CVE-2024-4099 LOW

CVE-2024-4099: Improper Encoding or Escaping of Output in GitLab

Vendor Gitlab
Product GitLab
Weakness CWE-116
Published September 26, 2024
Last update September 27, 2024

CVSS base score

3.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

An issue has been discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. An AI feature was found to read unsanitized content in a way that could have allowed an attacker to hide prompt injection.

Key dates

02Disclosure timeline

September 26, 2024 CVE published
September 27, 2024 Record updated