CVE-2024-13041 — Vulnetix

CVE-2024-13041 PUBLISHED

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. When a user is created via the SAML provider, the external groups setting overrides the external provider configuration. As a result, the user may not be marked as external thereby giving those users access to internal projects or groups.

EPSS 0.17% · 37.3th percentile

Risk Scores

EPSS Score

0.17%

37.3th percentile

Affected Products

Vendor	Product	Versions
Bitnami	gitlab	16.4.0, 17.6.0, 17.7.0
Bitnami	gitlab	16.4.0, 17.6.0, 17.7.0

Timeline

Jan 21, 1970 Security Advisory
Jan 8, 2025 PoC Published
Jan 8, 2025 CVE Published
Jan 9, 2025 PoC Published
Jan 9, 2025 PoC Published
Jan 10, 2025 EPSS Score
Jan 26, 2025 EPSS Score
Jan 27, 2025 CVE Updated
Feb 10, 2025 EPSS Score
Feb 26, 2025 EPSS Score
Mar 14, 2025 EPSS Score
Mar 29, 2025 EPSS Score

References

https://about.gitlab.com/releases/2025/01/08/patch-release-gitlab-17-7-1-released/#instance-saml-does-not-respect-external_provider-configuration url
https://gitlab.com/gitlab-org/gitlab/-/issues/479165 url
https://nvd.nist.gov/vuln/detail/CVE-2024-13041 url

Open in Interactive Console →