CVE-2024-3127

MEDIUM

GitLab EE <17.1.6-17.2.4-17.3.1 - Auth Bypass

Title source: llm

Description

An issue has been discovered in GitLab EE affecting all versions starting from 12.5 before 17.1.6, all versions starting from 17.2 before 17.2.4, all versions starting from 17.3 before 17.3.1. Under certain conditions it may be possible to bypass the IP restriction for groups through GraphQL allowing unauthorised users to perform some actions at the group level.

References (2)

Core 2

Core References

Exploit, Issue Tracking issue-tracking permissions-required

https://gitlab.com/gitlab-org/gitlab/-/issues/452640

Permissions Required technical-description exploit permissions-required

https://hackerone.com/reports/2395169

Scores

CVSS v3 4.3

EPSS 0.0002

EPSS Percentile 6.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-284 CWE-863

Status published

Products (2)

gitlab/gitlab 17.3.0 (2 CPE variants)

gitlab/gitlab 12.5.0 - 17.1.6 (2 CPE variants)

Published Aug 22, 2024

Tracked Since Feb 18, 2026