CVE-2024-8650 MEDIUM

CVE-2024-8650: Incorrect Authorization in GitLab

Vendor Gitlab
Product GitLab
Weakness CWE-863 · Incorrect authorization
Published December 16, 2024
Last update December 16, 2024
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

An issue was discovered in GitLab CE/EE affecting all versions from 15.0 prior to 17.4.6, 17.5 prior to 17.5.4, and 17.6 prior to 17.6.2 that allowed non-member users to view unresolved threads marked as internal notes in public projects merge requests.

Key dates

02Disclosure timeline

December 16, 2024 CVE published
December 16, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-29773 kubewarden-controller cross-namespace data exfiltration via deprecated host callback binding CVE-2026-2293 NestJS 11.1.13 - Lack of data validation allowing authentication/authorization bypass CVE-2026-30965 Parse Server session token exfiltration via `redirectClassNameForKey` query parameter CVE-2026-44557 Open WebUI: Global Knowledge Base Enumeration via knowledge-bases Meta-Collection CVE-2023-52077 External apps using tokens issued by administrators and moderators can call admin APIs