CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-0861: Direct Request ('Forced Browsing') in GitLab

4.3 CVSS

Description

An issue has been discovered in GitLab EE affecting all versions starting from 16.4 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. Users with the `Guest` role can change `Custom dashboard projects` settings contrary to permissions.

Classification

CVE ID: CVE-2024-0861

CVSS Base Severity: MEDIUM

CVSS Base Score: 4.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Problem Types

CWE-425: Direct Request ('Forced Browsing')

Affected Products

Vendor: GitLab

Product: GitLab

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 4.29% (scored less or equal to compared to others)

EPSS Date: 2025-06-19 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: poc

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2024-0861
https://gitlab.com/gitlab-org/gitlab/-/issues/439240
https://hackerone.com/reports/2316435

Timeline

2025-05-22 05:40:20 UTC
CVE

Direct Request ('Forced Browsing') in GitLab