CVE-2025-2498
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-08-13
Last updated on: 2025-08-15
Assigner: GitLab Inc.
Description
Description
An improper access control in Gitlab EE affecting all versions from 12.0 prior to 18.0.6, 18.1 prior to 18.1.4, and 18.2 prior to 18.2.2 that under certain conditions could have allowed users to view assigned issues from restricted groups by bypassing IP restrictions.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gitlab | gitlab | From 12.0.0 (inc) to 18.0.6 (exc) |
| gitlab | gitlab | From 18.1.0 (inc) to 18.1.4 (exc) |
| gitlab | gitlab | From 18.2.0 (inc) to 18.2.2 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-1220 | The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an improper access control issue in GitLab EE versions from 12.0 up to certain fixed versions. It allows users, under certain conditions, to bypass IP restrictions and view assigned issues from restricted groups that they should not have access to.
How can this vulnerability impact me? :
The vulnerability could allow unauthorized users to access sensitive issue information from restricted groups by bypassing IP restrictions, potentially exposing confidential project details or internal discussions.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70