mirror of
https://github.com/CVEProject/cvelist.git
synced 2025-08-04 08:44:25 +00:00
110 lines
4.0 KiB
JSON
110 lines
4.0 KiB
JSON
{
|
|
"data_version": "4.0",
|
|
"data_type": "CVE",
|
|
"data_format": "MITRE",
|
|
"CVE_data_meta": {
|
|
"ID": "CVE-2024-6595",
|
|
"ASSIGNER": "cve@gitlab.com",
|
|
"STATE": "PUBLIC"
|
|
},
|
|
"description": {
|
|
"description_data": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "An issue was discovered in GitLab CE/EE affecting all versions starting from 11.8 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2 where it was possible to upload an NPM package with conflicting package data."
|
|
}
|
|
]
|
|
},
|
|
"problemtype": {
|
|
"problemtype_data": [
|
|
{
|
|
"description": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "CWE-427: Uncontrolled Search Path Element",
|
|
"cweId": "CWE-427"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"affects": {
|
|
"vendor": {
|
|
"vendor_data": [
|
|
{
|
|
"vendor_name": "GitLab",
|
|
"product": {
|
|
"product_data": [
|
|
{
|
|
"product_name": "GitLab",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_affected": "<",
|
|
"version_name": "11.8",
|
|
"version_value": "16.11.6"
|
|
},
|
|
{
|
|
"version_affected": "<",
|
|
"version_name": "17.0",
|
|
"version_value": "17.0.4"
|
|
},
|
|
{
|
|
"version_affected": "<",
|
|
"version_name": "17.1",
|
|
"version_value": "17.1.2"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"references": {
|
|
"reference_data": [
|
|
{
|
|
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/417975",
|
|
"refsource": "MISC",
|
|
"name": "https://gitlab.com/gitlab-org/gitlab/-/issues/417975"
|
|
},
|
|
{
|
|
"url": "https://blog.vlt.sh/blog/the-massive-hole-in-the-npm-ecosystem",
|
|
"refsource": "MISC",
|
|
"name": "https://blog.vlt.sh/blog/the-massive-hole-in-the-npm-ecosystem"
|
|
}
|
|
]
|
|
},
|
|
"solution": [
|
|
{
|
|
"lang": "en",
|
|
"value": "Upgrade to versions 16.11.6, 17.0.4, 17.1.2 or above."
|
|
}
|
|
],
|
|
"credits": [
|
|
{
|
|
"lang": "en",
|
|
"value": "Thanks vulnerability was found internally by a GitLab team member [Ameya Darshan](https://gitlab.com/ameyadarshan). Thanks to [Darcy Clarke](https://x.com/darcy) for their work on [manifest confusion](https://blog.vlt.sh/blog/the-massive-hole-in-the-npm-ecosystem)."
|
|
}
|
|
],
|
|
"impact": {
|
|
"cvss": [
|
|
{
|
|
"version": "3.1",
|
|
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N",
|
|
"attackVector": "NETWORK",
|
|
"attackComplexity": "HIGH",
|
|
"privilegesRequired": "LOW",
|
|
"userInteraction": "REQUIRED",
|
|
"scope": "CHANGED",
|
|
"confidentialityImpact": "NONE",
|
|
"integrityImpact": "LOW",
|
|
"availabilityImpact": "NONE",
|
|
"baseScore": 3,
|
|
"baseSeverity": "LOW"
|
|
}
|
|
]
|
|
}
|
|
} |