Description

An issue has been discovered in GitLab EE affecting all versions from 16.10 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users to assign unrelated compliance frameworks to projects by sending crafted GraphQL mutations that bypassed framework-specific permission checks.

Related CPE's

a

gitlab

gitlab

3

References

https://gitlab.com/gitlab-org/gitlab/-/issues/546435

Broken Link

Weaknesses

[email protected]

Secondary
CWE-862

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

2.7 · Low

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2025-06-26T06:15:24.030

5 months ago

Last modified

2025-08-12T14:44:01.437

4 months ago