Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
5DescriptionCVE.org
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1.0 before 16.11.5, all versions starting from 17.0 before 17.0.3, all versions starting from 17.1.0 before 17.1.1 which allowed for a CSRF attack on GitLab's GraphQL API leading to the execution of arbitrary GraphQL mutations.
AnalysisAI
CVE-2024-4994 is a Cross-Site Request Forgery (CSRF) vulnerability in GitLab's GraphQL API that allows unauthenticated attackers to execute arbitrary GraphQL mutations through a malicious website visited by authenticated GitLab users. This affects GitLab CE/EE versions 16.1.0-16.11.4, 17.0.0-17.0.2, and 17.1.0, with a CVSS score of 8.1 indicating high severity. The vulnerability requires user interaction (clicking a malicious link) but can result in unauthorized data manipulation or system compromise depending on the mutations executed.
Technical ContextAI
The vulnerability exists in GitLab's GraphQL API endpoint implementation, which failed to implement proper CSRF token validation for state-changing operations (mutations). GraphQL mutations are the write/modification operations within GraphQL, analogous to POST/PUT/DELETE in REST APIs. The root cause is CWE-352 (Cross-Site Request Forgery), where the API accepts authenticated GraphQL mutation requests from cross-origin sources without verifying that the request originated from a legitimate GitLab interface. This is a classic CSRF vulnerability pattern where an attacker crafts a malicious webpage containing GraphQL mutation payloads that execute when a logged-in user visits the attacker's site. The vulnerability affects CPE:2.3:a:gitlab:gitlab:* versions spanning multiple release branches (16.1.x, 17.0.x, 17.1.x), indicating the vulnerability was introduced or persisted across multiple major releases.
RemediationAI
Immediate remediation: (1) Upgrade GitLab to patched versions: 16.11.5 or later (for 16.1.x-16.11.x users), 17.0.3 or later (for 17.0.x users), or 17.1.1 or later (for 17.1.x users); (2) Follow GitLab's official upgrade procedure to ensure database migrations and service restarts complete successfully. Short-term mitigations if immediate patching is not possible: (1) Implement Web Application Firewall (WAF) rules to detect and block GraphQL mutation requests originating from cross-origin sources (check for missing or invalid CSRF tokens on GraphQL endpoints); (2) Restrict GraphQL API access to trusted networks using network-level controls; (3) Implement Content Security Policy (CSP) headers to limit the ability of malicious sites to forge requests. Monitor for signs of exploitation by reviewing GraphQL mutation logs for suspicious activity, particularly mutations that alter user permissions, group memberships, or project data from unexpected sources. For GitLab.com SaaS users, GitLab has patched the platform; self-managed instances must apply patches manually.
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.
The SSH key upload feature (lib/gitlab_keys.rb) in gitlab-shell before 1.7.3, as used in GitLab 5.0 before 5.4.1 and 6.x
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. Rated critical severity (CVSS 10
A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. Rated critical severity (CVSS 9.8)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions star
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab af
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7.9 before 13.8.7, all versions sta
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. Rated critical severity (CVSS 9.8), this vulnerability is
An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allVendor StatusVendor
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| xenial | ignored | - |
| jammy | DNE | - |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| sid | vulnerable | 17.6.5-19 | - |
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2024-54992