CVE-2024-9870

An external service interaction vulnerability in GitLab EE affecting all versions from 15.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to send requests from the GitLab server to unintended services.

CVSS v3.0 8.8 HIGH

8.8^/10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://gitlab.com/gitlab-org/gitlab/-/issues/498911	Exploit Issue Tracking
https://hackerone.com/reports/2734142	Permissions Required

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*

History

06 Aug 2025, 18:48

Type	Values Removed	Values Added
References	~~() https://gitlab.com/gitlab-org/gitlab/-/issues/498911 -~~	() https://gitlab.com/gitlab-org/gitlab/-/issues/498911 - Exploit, Issue Tracking
References	~~() https://hackerone.com/reports/2734142 -~~	() https://hackerone.com/reports/2734142 - Permissions Required
First Time		Gitlab gitlab Gitlab
CWE		CWE-918
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8
CPE		cpe:2.3:a:gitlab:gitlab:::::enterprise:::*

12 Feb 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-12 16:15

Updated : 2025-08-06 18:48

NVD link : CVE-2024-9870

Mitre link : CVE-2024-9870

JSON object : View

Products Affected

gitlab

gitlab

CWE

CWE-441

Unintended Proxy or Intermediary ('Confused Deputy')

CWE-918

Server-Side Request Forgery (SSRF)

8.8 /10