CVE-2024-8647: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in GitLab

5.4 CVSS

Description

An issue was discovered in GitLab affecting all versions starting 15.2 to 17.4.6, 17.5 prior to 17.5.4, and 17.6 prior to 17.6.2. On self hosted installs, it was possible to leak the anti-CSRF-token to an external site while the Harbor integration was enabled.

Classification

CVE ID: CVE-2024-8647

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.4

Affected Products

Vendor: GitLab

Product: GitLab

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 12.66% (scored less or equal to compared to others)

EPSS Date: 2025-02-04 (when was this score calculated)

References

https://gitlab.com/gitlab-org/gitlab/-/issues/486051
https://hackerone.com/reports/2666341

Timeline

2024-12-13 00:30:51 UTC
CVE

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in GitLab