CVE-2024-1211

Medium CVSS 6.4

Overview

An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2 in which cross-site request forgery may have been possible on GitLab instances configured to use JWT as an OmniAuth provider.

CWE: CWE-352 Published: 2025-01-31T00:15:08.863

Risk analysis

This vulnerability is rated 🟡 MEDIUM.

CVSS: 6.4 (MEDIUM)
Detected tags: csrf, jwt (tag impact: MODERATE)

Recommended actions:

CSRF tokens, SameSite=Strict for cookies, validate Origin/Referer.
Use strong algorithms (HS256/RS256), rotate secrets, short expiries.

Overview

Recommended tools

Tags