Menu
Deepen energy metering, focus on intelligent and digital energy management, empower utilities to double carbon revolution, and provide the world's leading smart energy management solutions.
+ 86-28-65706888
  • Add:
    No. 99 Tianquan Rd., Hi-Tech Development Zone, Chengdu, P.R.C.

Scan the WeChat QR code

Welcome to the official website!
Innovation
Brings a Better Life
Language
2025.01.21
About Apache Tomcat Denial of Service Vulnerability

Alert number: KAIFA-KSIRT-202407-19
Published : 2024/7/19
Updated on : 2024/7/19

1. Vulnerability Overview

GitLab is an open source project for a warehouse management system that uses Git as a code management tool and can access public or private projects through a web interface.

Recently, we detected an improper access control vulnerability (CVE-2024-6385) fixed in GitLab Community Edition (CE) and Enterprise Edition (EE). Successful exploitation of this vulnerability could allow a threat actor to trigger a pipeline as another user in certain circumstances.

Affected users are advised to conduct self-inspection of their assets and take preventive measures to avoid hacker attacks.

2. Versions and fixes

Affected Products

Patched version

Affected versions

GitLab

16.11.6

15.8<= GitLab CE/EE < 16.11.6

GitLab

17.0.4

17.0<= GitLab CE/EE < 17.0.4

GitLab

17.1.2

17.1<= GitLab CE/EE < 17.1.2

III. Impact and Consequences

In some cases, the threat actor can trigger the pipeline as another user.

Vulnerability Scoring

Vulnerability using KAIFA AMI scoring rules for grading

Final score: 9.6

V. Technical Details

Prerequisites for exploiting the vulnerability: when processing Http/2 streams .

Vulnerability details:

Recently, we detected an improper access control vulnerability (CVE-2024-6385) fixed in GitLab Community Edition (CE) and Enterprise Edition (EE). Successful exploitation of this vulnerability could allow a threat actor to trigger a pipeline as another user in certain circumstances.

6. Circumvention Measures

none

7. Version acquisition path

Services that support automatic updates will receive system update prompts, and users can perform system updates to fix the vulnerabilities. Or they can manually download official website plug-ins to update and fix the vulnerabilities.

8. Vulnerability Source

Supplier notification

IX. Update Records

KAIFA-KSIRT-Initial

10. FAQs

none

11. Developing external security response services

K AIFA has always advocated doing its utmost to protect the ultimate interests of product users, following the principle of responsible disclosure of security incidents, and handling product safety issues through the product safety issue handling mechanism.

12. Statement

This document is provided "as is" without any express, implied or statutory warranty, including (but not limited to) the warranty of merchantability, fitness for purpose and non-infringement. In no event shall K AIFA or its directly or indirectly controlled subsidiaries, or its suppliers, be liable for any loss, including direct, indirect, incidental, consequential loss of business profits or special damages. You shall bear all legal liabilities arising from the use of this document in any way. K AIFA may modify or update the content and information contained in this document at any time.