CVE-2024-3127

MEDIUM

GitLab EE <17.1.6-17.2.4-17.3.1 - Auth Bypass

Title source: llm

Description

An issue has been discovered in GitLab EE affecting all versions starting from 12.5 before 17.1.6, all versions starting from 17.2 before 17.2.4, all versions starting from 17.3 before 17.3.1. Under certain conditions it may be possible to bypass the IP restriction for groups through GraphQL allowing unauthorised users to perform some actions at the group level.

References (2)

[Exploit, Issue Tracking] https://gitlab.com/gitlab-org/gitlab/-/issues/452640

[Permissions Required] https://hackerone.com/reports/2395169

Scores

CVSS v3 4.3

EPSS 0.0002

EPSS Percentile 5.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Classification

CWE

CWE-284 CWE-863

Status published

Affected Products (4)

gitlab/gitlab < 17.1.6

gitlab/gitlab

Timeline

Published Aug 22, 2024

Tracked Since Feb 18, 2026