EUVD-2025-19172
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4Description
An issue has been discovered in GitLab EE affecting all versions from 16.10 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users to assign unrelated compliance frameworks to projects by sending crafted GraphQL mutations that bypassed framework-specific permission checks.
Analysis
An issue has been discovered in GitLab EE affecting all versions from 16.10 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users to assign unrelated compliance frameworks to projects by sending crafted GraphQL mutations that bypassed framework-specific permission checks.
Technical Context
This vulnerability is classified as Missing Authorization (CWE-862).
Affected Products
Affected products: Gitlab Gitlab
Remediation
Monitor vendor advisories for patches. Apply mitigations such as network segmentation, access restrictions, and monitoring.
Priority Score
Vendor Status
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| xenial | ignored | - |
| jammy | DNE | - |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | not-affected | debian: Specific to EE |
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| sid | fixed | 17.6.5-19 | - |
| (unstable) | not-affected | - | - |
Share
External POC / Exploit Code
Leaving vuln.today