Vulnerability DatabaseCVE-2024-4994

CVE-2024-4994:
GitLab vulnerability analysis and mitigation

Overview

An issue has been discovered in GitLab CE/EE affecting all versions from 16.1.0 before 16.11.5, all versions starting from 17.0 before 17.0.3, all versions starting from 17.1.0 before 17.1.1 which allowed for a CSRF attack on GitLab's GraphQL API leading to the execution of arbitrary GraphQL mutations (GitLab Release, NVD).

Technical details

The vulnerability is classified as a high severity issue with a CVSS v3.1 base score of 8.1 (HIGH) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N. The vulnerability allows for Cross-Site Request Forgery (CSRF) attacks specifically targeting GitLab's GraphQL API, enabling the execution of arbitrary GraphQL mutations (GitLab Release).

Impact

The vulnerability could allow attackers to execute arbitrary GraphQL mutations through CSRF attacks, potentially leading to unauthorized actions being performed on behalf of authenticated users (GitLab Release).

Mitigation and workarounds

The vulnerability has been fixed in GitLab versions 16.11.5, 17.0.3, and 17.1.1. Users are strongly recommended to upgrade to these patched versions immediately. GitLab.com has already been updated with the patched version (GitLab Release).