CVE-2024-4099

Improper Encoding or Escaping of Output (CWE-116)

Published: Sep 26, 2024 / Updated: 54d ago

010
CVSS 5.3EPSS 0.04%Medium
CVE info copied to clipboard

An issue has been discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. An AI feature was found to read unsanitized content in a way that could have allowed an attacker to hide prompt injection.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2024-4099. See article

Sep 26, 2024 at 7:31 AM / GitLab
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Sep 26, 2024 at 11:15 PM
CVE Assignment

NVD published the first details for CVE-2024-4099

Sep 26, 2024 at 11:15 PM
CVSS

A CVSS base score of 3.1 has been assigned.

Sep 26, 2024 at 11:20 PM / nvd
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.6%)

Sep 27, 2024 at 9:37 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (207837)

Sep 27, 2024 at 5:15 PM
CVSS

A CVSS base score of 5.3 has been assigned.

Oct 4, 2024 at 5:35 PM / nvd
Static CVE Timeline Graph

Affected Systems

Gitlab/gitlab
+null more

Attack Patterns

CAPEC-104: Cross Zone Scripting
+null more

References

GitLab Patch Release: 17.4.1, 17.3.4, 17.2.8
Title Severity Maintainer can leak Dependency Proxy password by changing Dependency Proxy URL via crafted POST request Medium AI feature reads unsanitized content, allowing for attacker to hide prompt injection Low Project reference can be exposed in system notes Low These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately.

News

GitLab 16.0 < 17.2.8 / 17.3 < 17.3.4 / 17.4 < 17.4.1 (CVE-2024-4099)
Nessus Plugin ID 207837 with Low Severity Synopsis The version of GitLab installed on the remote host is affected by a vulnerability. Description The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - An issue has been discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. An AI feature was found to read unsanitized content in a way that could have allowed an attacker to hide prompt injection. (CVE-2024-4099) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. Solution Upgrade to GitLab version 17.2.8, 17.3.4, 17.4.1 or later. Read more at https://www.tenable.com/plugins/nessus/207837
CVE-2024-4099
Low Severity Description An issue has been discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. An AI feature was found to read unsanitized content in a way that could have allowed an attacker to hide prompt injection. Read more at https://www.tenable.com/cve/CVE-2024-4099
CVE-2024-4099 | GitLab Enterprise Edition up to 17.2.7/17.3.3/17.4.0 escape output (Issue 457798)
A vulnerability, which was classified as problematic , was found in GitLab Enterprise Edition up to 17.2.7/17.3.3/17.4.0 . Affected is an unknown function. The manipulation leads to escaping of output. This vulnerability is traded as CVE-2024-4099 . It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.
CVE-2024-4099
Gravedad 3.1 (CVSS 3.1 Base Score) Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
NA - CVE-2024-4099 - An issue has been discovered in GitLab EE...
An issue has been discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. An AI feature was found to read...
See 9 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:None
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI