SecuriTricks - CVE-2025-2242

Description

An improper access control vulnerability in GitLab CE/EE affecting all versions from 17.4 prior to 17.8.6, 17.9 prior to 17.9.3, and 17.10 prior to 17.10.1 allows a user who was an instance admin before but has since been downgraded to a regular user to continue to maintain elevated privileges to groups and projects.

Product(s) Impacted

Vendor	Product	Versions
Gitlab	Gitlab Ce Gitlab Ee	17.4-, 17.9-, 17.10-* 17.4-, 17.9-, 17.10-*

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-863

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	gitlab	gitlab_ce	17.4-*	<17.8.6	/	/	/	/	/	/
a	gitlab	gitlab_ce	17.9-*	<17.9.3	/	/	/	/	/	/
a	gitlab	gitlab_ce	17.10-*	<17.10.1	/	/	/	/	/	/
a	gitlab	gitlab_ee	17.4-*	<17.8.6	/	/	/	/	/	/
a	gitlab	gitlab_ee	17.9-*	<17.9.3	/	/	/	/	/	/
a	gitlab	gitlab_ee	17.10-*	<17.10.1	/	/	/	/	/	/

References

https://gitlab.com/gitlab-org/gitlab/-/issues/516271

CVSS Score

7.5 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: HIGH
Privileges Required: LOW
Scope: UNCHANGED
Confidentiality Impact: HIGH
Integrity Impact: HIGH
Availability Impact: HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

View Vector String

Timeline

Published: March 27, 2025, 1:15 p.m.
Last Modified: March 27, 2025, 4:45 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cve@gitlab.com

CVE-2025-2242