CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionNVD
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to perform unauthorized operations by submitting GraphQL mutations through the GLQL API endpoint.
AnalysisAI
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to perform unauthorized operations by submitting GraphQL mutations through the GLQL API endpoint. [CVSS 3.7 LOW]
Technical ContextAI
Classified as CWE-862 (Missing Authorization). Affects the GLQL API component of Gitlab. GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to perform unauthorized operations by submitting GraphQL mutations through the GLQL API endpoint.
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
More from same product – last 7 days
Command injection in Prefect 3.6.18's GitHub integration allows authenticated users to execute arbitrary git commands th
Incorrect authorization enforcement in GitLab CE/EE permits a blocked Project Access Token to continue reading private p
Identity confusion in GitLab EE's Duo AI workflow runners lets an authenticated, low-privileged user cause specific Duo
Denial of service in GitLab CE/EE affects all versions from 17.1 through those prior to 18.10.7, 18.11.4, and 19.0.1, al
Unauthorized private project enumeration in GitLab CE/EE exposes confidential project metadata to unauthenticated networ
Share
External POC / Exploit Code
Leaving vuln.today