CVE-2024-3127

2024-08-2200:00:00

ubuntu.com

gitlab

unauthorized access

group level

ip restriction

security issue

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

AI Score

7.1

Confidence

Low

JSON

An issue has been discovered in GitLab EE affecting all versions starting
from 12.5 before 17.1.6, all versions starting from 17.2 before 17.2.4, all
versions starting from 17.3 before 17.3.1. Under certain conditions it may
be possible to bypass the IP restriction for groups through GraphQL
allowing unauthorised users to perform some actions at the group level.

Notes

Author	Note
mdeslaur	GitLab isn’t maintainable as a distro package, and was removed from Ubuntu because of this. We will not be fixing security issues in the gitlab package in Xenial.