CVE-2024-8754 Vulnerability Analysis & Exploit Details

CVE-2024-8754 Vulnerability Summary

CVE-2024-8754: An issue has been discovered in GitLab EE/CE affecting all versions from 16.9.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2. An improper input validation error allows attacker to squat on accounts via linking arbitrary unclaimed provider identities when JWT authentication is configured.

Exploit Prediction Scoring System (EPSS)

The EPSS score estimates the probability that this vulnerability will be exploited in the near future.

EPSS Score: 0.068% (probability of exploit)

EPSS Percentile: 33.12% (lower percentile = lower relative risk)
This vulnerability is less risky than approximately 66.88% of others.

CVE-2024-8754 References

External References

• https://gitlab.com/gitlab-org/gitlab/-/issues/464062

CWE Common Weakness Enumeration

CAPEC Common Attack Pattern Enumeration and Classification

• Exploitation of Trusted Identifiers CAPEC-21 An adversary guesses, obtains, or "rides" a trusted identifier (e.g. session ID, resource ID, cookie, etc.) to perform authorized actions under the guise of an authenticated user or service.
• Accessing/Intercepting/Modifying HTTP Cookies CAPEC-31 This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. There are several different forms of this attack. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the adversary to impersonate the remote user/session. The third form is when the cookie's content is modified by the adversary before it is sent back to the server. Here the adversary seeks to convince the target server to operate on this falsified information.

Vulnerable Configurations

• cpe:2.3:a:gitlab:gitlab:16.9.7:*:*:*:community:*:*:*
  cpe:2.3:a:gitlab:gitlab:16.9.7:*:*:*:community:*:*:*
• cpe:2.3:a:gitlab:gitlab:16.9.7:*:*:*:enterprise:*:*:*
  cpe:2.3:a:gitlab:gitlab:16.9.7:*:*:*:enterprise:*:*:*
• cpe:2.3:a:gitlab:gitlab:16.9.8:*:*:*:community:*:*:*
  cpe:2.3:a:gitlab:gitlab:16.9.8:*:*:*:community:*:*:*
• cpe:2.3:a:gitlab:gitlab:16.9.8:*:*:*:enterprise:*:*:*
  cpe:2.3:a:gitlab:gitlab:16.9.8:*:*:*:enterprise:*:*:*
• cpe:2.3:a:gitlab:gitlab:16.10.0:*:*:*:community:*:*:*
  cpe:2.3:a:gitlab:gitlab:16.10.0:*:*:*:community:*:*:*
• cpe:2.3:a:gitlab:gitlab:16.10.0:*:*:*:enterprise:*:*:*
  cpe:2.3:a:gitlab:gitlab:16.10.0:*:*:*:enterprise:*:*:*
• cpe:2.3:a:gitlab:gitlab:16.10.1:*:*:*:community:*:*:*
  cpe:2.3:a:gitlab:gitlab:16.10.1:*:*:*:community:*:*:*
• cpe:2.3:a:gitlab:gitlab:16.10.1:*:*:*:enterprise:*:*:*
  cpe:2.3:a:gitlab:gitlab:16.10.1:*:*:*:enterprise:*:*:*
• cpe:2.3:a:gitlab:gitlab:16.10.2:*:*:*:community:*:*:*
  cpe:2.3:a:gitlab:gitlab:16.10.2:*:*:*:community:*:*:*
• cpe:2.3:a:gitlab:gitlab:16.10.2:*:*:*:enterprise:*:*:*
  cpe:2.3:a:gitlab:gitlab:16.10.2:*:*:*:enterprise:*:*:*
• cpe:2.3:a:gitlab:gitlab:16.10.3:*:*:*:community:*:*:*
  cpe:2.3:a:gitlab:gitlab:16.10.3:*:*:*:community:*:*:*
• cpe:2.3:a:gitlab:gitlab:16.10.3:*:*:*:enterprise:*:*:*
  cpe:2.3:a:gitlab:gitlab:16.10.3:*:*:*:enterprise:*:*:*
• cpe:2.3:a:gitlab:gitlab:16.10.4:*:*:*:community:*:*:*
  cpe:2.3:a:gitlab:gitlab:16.10.4:*:*:*:community:*:*:*
• cpe:2.3:a:gitlab:gitlab:16.10.4:*:*:*:enterprise:*:*:*
  cpe:2.3:a:gitlab:gitlab:16.10.4:*:*:*:enterprise:*:*:*
• cpe:2.3:a:gitlab:gitlab:16.10.5:*:*:*:community:*:*:*
  cpe:2.3:a:gitlab:gitlab:16.10.5:*:*:*:community:*:*:*
• cpe:2.3:a:gitlab:gitlab:16.10.5:*:*:*:enterprise:*:*:*
  cpe:2.3:a:gitlab:gitlab:16.10.5:*:*:*:enterprise:*:*:*
• cpe:2.3:a:gitlab:gitlab:16.10.6:*:*:*:community:*:*:*
  cpe:2.3:a:gitlab:gitlab:16.10.6:*:*:*:community:*:*:*
• cpe:2.3:a:gitlab:gitlab:16.10.6:*:*:*:enterprise:*:*:*
  cpe:2.3:a:gitlab:gitlab:16.10.6:*:*:*:enterprise:*:*:*
• cpe:2.3:a:gitlab:gitlab:16.10.7:*:*:*:community:*:*:*
  cpe:2.3:a:gitlab:gitlab:16.10.7:*:*:*:community:*:*:*
• cpe:2.3:a:gitlab:gitlab:16.10.7:*:*:*:enterprise:*:*:*
  cpe:2.3:a:gitlab:gitlab:16.10.7:*:*:*:enterprise:*:*:*
• cpe:2.3:a:gitlab:gitlab:16.11.0:*:*:*:community:*:*:*
  cpe:2.3:a:gitlab:gitlab:16.11.0:*:*:*:community:*:*:*
• cpe:2.3:a:gitlab:gitlab:16.11.0:*:*:*:enterprise:*:*:*
  cpe:2.3:a:gitlab:gitlab:16.11.0:*:*:*:enterprise:*:*:*
• cpe:2.3:a:gitlab:gitlab:16.11.1:*:*:*:community:*:*:*
  cpe:2.3:a:gitlab:gitlab:16.11.1:*:*:*:community:*:*:*
• cpe:2.3:a:gitlab:gitlab:16.11.1:*:*:*:enterprise:*:*:*
  cpe:2.3:a:gitlab:gitlab:16.11.1:*:*:*:enterprise:*:*:*
• cpe:2.3:a:gitlab:gitlab:16.11.2:*:*:*:community:*:*:*
  cpe:2.3:a:gitlab:gitlab:16.11.2:*:*:*:community:*:*:*
• cpe:2.3:a:gitlab:gitlab:16.11.2:*:*:*:enterprise:*:*:*
  cpe:2.3:a:gitlab:gitlab:16.11.2:*:*:*:enterprise:*:*:*
• cpe:2.3:a:gitlab:gitlab:16.11.3:*:*:*:community:*:*:*
  cpe:2.3:a:gitlab:gitlab:16.11.3:*:*:*:community:*:*:*
• cpe:2.3:a:gitlab:gitlab:16.11.3:*:*:*:enterprise:*:*:*
  cpe:2.3:a:gitlab:gitlab:16.11.3:*:*:*:enterprise:*:*:*
• cpe:2.3:a:gitlab:gitlab:16.11.4:*:*:*:community:*:*:*
  cpe:2.3:a:gitlab:gitlab:16.11.4:*:*:*:community:*:*:*
• cpe:2.3:a:gitlab:gitlab:16.11.4:*:*:*:enterprise:*:*:*
  cpe:2.3:a:gitlab:gitlab:16.11.4:*:*:*:enterprise:*:*:*
• cpe:2.3:a:gitlab:gitlab:16.11.5:*:*:*:community:*:*:*
  cpe:2.3:a:gitlab:gitlab:16.11.5:*:*:*:community:*:*:*
• cpe:2.3:a:gitlab:gitlab:16.11.5:*:*:*:enterprise:*:*:*
  cpe:2.3:a:gitlab:gitlab:16.11.5:*:*:*:enterprise:*:*:*
• cpe:2.3:a:gitlab:gitlab:16.11.6:*:*:*:community:*:*:*
  cpe:2.3:a:gitlab:gitlab:16.11.6:*:*:*:community:*:*:*
• cpe:2.3:a:gitlab:gitlab:16.11.6:*:*:*:enterprise:*:*:*
  cpe:2.3:a:gitlab:gitlab:16.11.6:*:*:*:enterprise:*:*:*
• cpe:2.3:a:gitlab:gitlab:17.0.0:*:*:*:community:*:*:*
  cpe:2.3:a:gitlab:gitlab:17.0.0:*:*:*:community:*:*:*
• cpe:2.3:a:gitlab:gitlab:17.0.0:*:*:*:enterprise:*:*:*
  cpe:2.3:a:gitlab:gitlab:17.0.0:*:*:*:enterprise:*:*:*
• cpe:2.3:a:gitlab:gitlab:17.0.1:*:*:*:community:*:*:*
  cpe:2.3:a:gitlab:gitlab:17.0.1:*:*:*:community:*:*:*
• cpe:2.3:a:gitlab:gitlab:17.0.1:*:*:*:enterprise:*:*:*
  cpe:2.3:a:gitlab:gitlab:17.0.1:*:*:*:enterprise:*:*:*
• cpe:2.3:a:gitlab:gitlab:17.0.2:*:*:*:community:*:*:*
  cpe:2.3:a:gitlab:gitlab:17.0.2:*:*:*:community:*:*:*
• cpe:2.3:a:gitlab:gitlab:17.0.2:*:*:*:enterprise:*:*:*
  cpe:2.3:a:gitlab:gitlab:17.0.2:*:*:*:enterprise:*:*:*
• cpe:2.3:a:gitlab:gitlab:17.0.3:*:*:*:community:*:*:*
  cpe:2.3:a:gitlab:gitlab:17.0.3:*:*:*:community:*:*:*
• cpe:2.3:a:gitlab:gitlab:17.0.3:*:*:*:enterprise:*:*:*
  cpe:2.3:a:gitlab:gitlab:17.0.3:*:*:*:enterprise:*:*:*
• cpe:2.3:a:gitlab:gitlab:17.0.4:*:*:*:community:*:*:*
  cpe:2.3:a:gitlab:gitlab:17.0.4:*:*:*:community:*:*:*
• cpe:2.3:a:gitlab:gitlab:17.0.4:*:*:*:enterprise:*:*:*
  cpe:2.3:a:gitlab:gitlab:17.0.4:*:*:*:enterprise:*:*:*
• cpe:2.3:a:gitlab:gitlab:17.0.6:*:*:*:enterprise:*:*:*
  cpe:2.3:a:gitlab:gitlab:17.0.6:*:*:*:enterprise:*:*:*
• cpe:2.3:a:gitlab:gitlab:17.1.0:*:*:*:community:*:*:*
  cpe:2.3:a:gitlab:gitlab:17.1.0:*:*:*:community:*:*:*
• cpe:2.3:a:gitlab:gitlab:17.1.0:*:*:*:enterprise:*:*:*
  cpe:2.3:a:gitlab:gitlab:17.1.0:*:*:*:enterprise:*:*:*
• cpe:2.3:a:gitlab:gitlab:17.1.1:*:*:*:community:*:*:*
  cpe:2.3:a:gitlab:gitlab:17.1.1:*:*:*:community:*:*:*
• cpe:2.3:a:gitlab:gitlab:17.1.1:*:*:*:enterprise:*:*:*
  cpe:2.3:a:gitlab:gitlab:17.1.1:*:*:*:enterprise:*:*:*
• cpe:2.3:a:gitlab:gitlab:17.1.2:*:*:*:community:*:*:*
  cpe:2.3:a:gitlab:gitlab:17.1.2:*:*:*:community:*:*:*
• cpe:2.3:a:gitlab:gitlab:17.1.2:*:*:*:enterprise:*:*:*
  cpe:2.3:a:gitlab:gitlab:17.1.2:*:*:*:enterprise:*:*:*
• cpe:2.3:a:gitlab:gitlab:17.1.2:*:*:*:*:*:*:*
  cpe:2.3:a:gitlab:gitlab:17.1.2:*:*:*:*:*:*:*
• cpe:2.3:a:gitlab:gitlab:17.1.3:*:*:*:*:*:*:*
  cpe:2.3:a:gitlab:gitlab:17.1.3:*:*:*:*:*:*:*
• cpe:2.3:a:gitlab:gitlab:17.1.3:*:*:*:enterprise:*:*:*
  cpe:2.3:a:gitlab:gitlab:17.1.3:*:*:*:enterprise:*:*:*
• cpe:2.3:a:gitlab:gitlab:17.1.4:*:*:*:enterprise:*:*:*
  cpe:2.3:a:gitlab:gitlab:17.1.4:*:*:*:enterprise:*:*:*
• cpe:2.3:a:gitlab:gitlab:17.1.6:*:*:*:*:*:*:*
  cpe:2.3:a:gitlab:gitlab:17.1.6:*:*:*:*:*:*:*
• cpe:2.3:a:gitlab:gitlab:17.2.0:*:*:*:*:*:*:*
  cpe:2.3:a:gitlab:gitlab:17.2.0:*:*:*:*:*:*:*
• cpe:2.3:a:gitlab:gitlab:17.2.0:*:*:*:enterprise:*:*:*
  cpe:2.3:a:gitlab:gitlab:17.2.0:*:*:*:enterprise:*:*:*
• cpe:2.3:a:gitlab:gitlab:17.2.0:*:*:*:community:*:*:*
  cpe:2.3:a:gitlab:gitlab:17.2.0:*:*:*:community:*:*:*
• cpe:2.3:a:gitlab:gitlab:17.2.1:*:*:*:*:*:*:*
  cpe:2.3:a:gitlab:gitlab:17.2.1:*:*:*:*:*:*:*
• cpe:2.3:a:gitlab:gitlab:17.2.1:*:*:*:enterprise:*:*:*
  cpe:2.3:a:gitlab:gitlab:17.2.1:*:*:*:enterprise:*:*:*
• cpe:2.3:a:gitlab:gitlab:17.2.2:*:*:*:*:*:*:*
  cpe:2.3:a:gitlab:gitlab:17.2.2:*:*:*:*:*:*:*
• cpe:2.3:a:gitlab:gitlab:17.2.2:*:*:*:enterprise:*:*:*
  cpe:2.3:a:gitlab:gitlab:17.2.2:*:*:*:enterprise:*:*:*
• cpe:2.3:a:gitlab:gitlab:17.2.4:*:*:*:*:*:*:*
  cpe:2.3:a:gitlab:gitlab:17.2.4:*:*:*:*:*:*:*
• cpe:2.3:a:gitlab:gitlab:17.3.0:*:*:*:community:*:*:*
  cpe:2.3:a:gitlab:gitlab:17.3.0:*:*:*:community:*:*:*
• cpe:2.3:a:gitlab:gitlab:17.3.0:*:*:*:enterprise:*:*:*
  cpe:2.3:a:gitlab:gitlab:17.3.0:*:*:*:enterprise:*:*:*
• cpe:2.3:a:gitlab:gitlab:17.3.1:*:*:*:*:*:*:*
  cpe:2.3:a:gitlab:gitlab:17.3.1:*:*:*:*:*:*:*

Other 5 Recently Published CVEs Vulnerabilities

• CVE-2025-43903 – NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the adbe.pkcs7.sha1 signatures on documents, resulting in potential signature forgeries.
• CVE-2025-3796 – A vulnerability classified as critical has been found in PHPGurukul Men Salon Management System 1.0. This affects an unknown part of the file /admi...
• CVE-2025-32953 – z80pack is a mature emulator of multiple platforms with 8080 and Z80 CPU. In version 1.38 and prior, the `makefile-ubuntu.yml` workflow file uses `...
• CVE-2025-29058 – An issue in Qimou CMS v.3.34.0 allows a remote attacker to execute arbitrary code via the upgrade.php component.
• CVE-2024-53591 – An issue in the login page of Seclore v3.27.5.0 allows attackers to bypass authentication via a brute force attack.