CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-0456: Direct Request ('Forced Browsing') in GitLab

4.3 CVSS

Description

An authorization vulnerability exists in GitLab versions 14.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. An unauthorized attacker is able to assign arbitrary users to MRs that they created within the project

Classification

CVE ID: CVE-2024-0456

CVSS Base Severity: MEDIUM

CVSS Base Score: 4.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Problem Types

CWE-425: Direct Request ('Forced Browsing')

Affected Products

Vendor: GitLab

Product: GitLab

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.08% (probability of being exploited)

EPSS Percentile: 24.15% (scored less or equal to compared to others)

EPSS Date: 2025-06-17 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2024-0456
https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released/
https://gitlab.com/gitlab-org/gitlab/-/issues/430726

Timeline

2025-05-29 16:40:14 UTC
CVE

Direct Request ('Forced Browsing') in GitLab