CVE-2024-8635

HIGH

GitLab EE - SSRF

Title source: llm

Description

A server-side request forgery issue has been discovered in GitLab EE affecting all versions starting from 16.8 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It was possible for an attacker to make requests to internal resources using a custom Maven Dependency Proxy URL

References (2)

[Broken Link] https://gitlab.com/gitlab-org/gitlab/-/issues/455273

[Release Notes] https://about.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/

Scores

CVSS v3 7.7

EPSS 0.0004

EPSS Percentile 13.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Classification

CWE

CWE-918

Status published

Affected Products (2)

gitlab/gitlab < 17.1.7

Timeline

Published Sep 12, 2024

Tracked Since Feb 18, 2026