CVE-2024-8977

HIGH

GitLab 15.10-17.2.8, 17.3-17.3.4, 17.4-17.4.1 - Server-Side Request Forgery via Product Analytics Dashboard

Title source: llm
STIX 2.1

Description

An issue has been discovered in GitLab EE affecting all versions starting from 15.10 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. Instances with Product Analytics Dashboard configured and enabled could be vulnerable to SSRF attacks.

References (2)

Core 2
Core References
Broken Link issue-tracking permissions-required
https://gitlab.com/gitlab-org/gitlab/-/issues/491060
Permissions Required technical-description exploit permissions-required
https://hackerone.com/reports/2697456

Scores

CVSS v3 8.2
EPSS 0.0006
EPSS Percentile 19.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-918
Status published
Products (1)
gitlab/gitlab 15.10 - 17.2.9
Published Oct 10, 2024
Tracked Since Feb 18, 2026