CVE-2024-8635
Server-Side Request Forgery (SSRF) in GitLab
6.5
MEDIUM
CVSS 3.1
EPSS 0.07%
Description
A server-side request forgery issue has been discovered in GitLab EE affecting all versions starting from 16.8 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It was possible for an attacker to make requests to internal resources using a custom Maven Dependency Proxy URL
How to fix CVE-2024-8635
To remediate CVE-2024-8635, upgrade the affected package to a fixed version below.
- —upgrade to 17.1.7 or later
Is CVE-2024-8635 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 16.8.0, < 17.1.7, >= 17.2.0, < 17.2.5, >= 17.3.0, < 17.3.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |