CVE-2017-17716

MEDIUM

GitLab 9.4.x - Improper Certificate Validation in LDAP SSL Verification

Title source: llm

Description

GitLab 9.4.x before 9.4.2 does not support LDAP SSL certificate verification, but a verify_certificates LDAP option was mentioned in the 9.4 release announcement. This issue occurred because code was not merged. This is related to use of the omniauth-ldap library and the gitlab_omniauth-ldap gem.

References (3)

Core 3

Core References

Issue Tracking, Patch, Vendor Advisory x_refsource_misc

https://gitlab.com/gitlab-org/gitlab-ce/issues/30420

Issue Tracking, Vendor Advisory x_refsource_misc

https://about.gitlab.com/2017/07/28/gitlab-9-dot-4-dot-2-released/

Issue Tracking, Vendor Advisory x_refsource_misc

https://about.gitlab.com/2017/07/22/gitlab-9-4-released/#security---add-ldap-ssl-certificate-verification

Scores

CVSS v3 5.9

EPSS 0.0009

EPSS Percentile 24.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-295

Status published

Products (2)

gitlab/gitlab 9.4.0 (7 CPE variants)

gitlab/gitlab 9.4.1

Published Dec 17, 2017

Tracked Since Feb 18, 2026