CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-13041: Incorrect User Management in GitLab

4.2 CVSS

Description

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. When a user is created via the SAML provider, the external groups setting overrides the external provider configuration. As a result, the user may not be marked as external thereby giving those users access to internal projects or groups.

Classification

CVE ID: CVE-2024-13041

CVSS Base Severity: MEDIUM

CVSS Base Score: 4.2

Affected Products

Vendor: GitLab

Product: GitLab

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.48% (scored less or equal to compared to others)

EPSS Date: 2025-02-07 (when was this score calculated)

References

https://gitlab.com/gitlab-org/gitlab/-/issues/479165
https://about.gitlab.com/releases/2025/01/08/patch-release-gitlab-17-7-1-released/#instance-saml-does-not-respect-external_provider-configuration

Timeline

2025-01-10 00:30:15 UTC
CVE

Incorrect User Management in GitLab