Bug 2277132 (CVE-2024-1347)

Summary:	CVE-2024-1347 gitlab: bypass domain based restrictions on an instance or a group by a crafted email
Product:	[Other] Security Response	Reporter:	Rohit Keshri <rkeshri>
Component:	vulnerability	Assignee:	Product Security <prodsec-ir-bot>
Status:	NEW ---	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	dfreiber, drow, jburrell, sidakwo, vkumar
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in GitLab CE/EE. Under certain conditions, an attacker, through a crafted email address, can bypass domain-based restrictions on an instance or a group. This issue affects all versions through 16.9.6, 16.10 through 16.10.4, and 16.11 through 16.11.1.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	2277134
Bug Blocks:	2277135

Description Rohit Keshri 2024-04-25 12:00:08 UTC

An issue has been discovered in GitLab CE/EE affecting all versions before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. Under certain conditions, an attacker through a crafted email address may be able to bypass domain based restrictions on an instance or a group.

https://gitlab.com/gitlab-org/gitlab/-/issues/441093
https://hackerone.com/reports/2355565

Comment 1 Rohit Keshri 2024-04-25 12:01:02 UTC

Created rubygem-highline tracking bugs for this issue:

Affects: fedora-all [bug 2277134]