CVE-2024-4994

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-4994
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1.0 before 16.11.5, all versions starting from 17.0 before 17.0.3, all versions starting from 17.1.0 before 17.1.1 which allowed for a CSRF attack on GitLab's GraphQL API leading to the execution of arbitrary GraphQL mutations.

8.1 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://gitlab.com/gitlab-org/gitlab/-/issues/462012 Exploit Issue Tracking
https://hackerone.com/reports/2473644 Permissions Required
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:17.1.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:17.1.0:*:*:*:enterprise:*:*:*
History

12 Aug 2025, 14:52

Type Values Removed Values Added
References () https://gitlab.com/gitlab-org/gitlab/-/issues/462012 - () https://gitlab.com/gitlab-org/gitlab/-/issues/462012 - Exploit, Issue Tracking
References () https://hackerone.com/reports/2473644 - () https://hackerone.com/reports/2473644 - Permissions Required
First Time Gitlab gitlab
Gitlab
CPE cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:17.1.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:17.1.0:*:*:*:enterprise:*:*:*

23 Jun 2025, 20:16

Type Values Removed Values Added
Summary
  • (es) Se ha descubierto un problema en GitLab CE/EE que afecta a todas las versiones desde la 16.1.0 anterior a la 16.11.5, todas las versiones desde la 17.0 anterior a la 17.0.3 y todas las versiones desde la 17.1.0 anterior a la 17.1.1, lo que permitió un ataque CSRF a la API GraphQL de GitLab que provocó la ejecución de mutaciones arbitrarias de GraphQL.

20 Jun 2025, 19:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-06-20 19:15

Updated : 2025-08-12 14:52

NVD link : CVE-2024-4994

Mitre link : CVE-2024-4994

CVE.ORG link : CVE-2024-4994

JSON object : View

Products Affected

gitlab

  • gitlab
CWE
CWE-352

Cross-Site Request Forgery (CSRF)