CVE-2024-1211
Published: 31 January 2025
Description
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2 in which cross-site request forgery may have been possible on GitLab instances configured to use JWT as an OmniAuth provider.
Security Summary
CVE-2024-1211 is a cross-site request forgery (CSRF) vulnerability, mapped to CWE-352, discovered in GitLab Community Edition (CE) and Enterprise Edition (EE). It affects all versions starting from 10.6 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2, but only on GitLab instances configured to use JWT as an OmniAuth provider. The vulnerability carries a CVSS v3.1 base score of 6.4 (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N).
Exploitation requires network access and low privileges from the attacker, combined with high attack complexity and user interaction, such as tricking an authenticated user into performing a malicious request. A successful attack enables the attacker to act on behalf of the victim, potentially compromising high levels of confidentiality and integrity without affecting availability.
Mitigation is achieved by upgrading to patched versions: 16.9.7, 16.10.5, or 16.11.2. Additional details on the issue and resolution are documented in the GitLab issue tracker at https://gitlab.com/gitlab-org/gitlab/-/issues/440313 and the corresponding HackerOne report at https://hackerone.com/reports/2323594.
Details
- CWE(s)