CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-1250: Privilege Chaining in GitLab

6.5 CVSS

Description

An issue has been discovered in GitLab EE affecting all versions starting from 16.8 before 16.8.2. When a user is assigned a custom role with manage_group_access_tokens permission, they may be able to create group access tokens with Owner privileges, which may lead to privilege escalation.

Classification

CVE ID: CVE-2024-1250

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Problem Types

CWE-268: Privilege Chaining

Affected Products

Vendor: GitLab

Product: GitLab

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.01% (probability of being exploited)

EPSS Percentile: 1.02% (scored less or equal to compared to others)

EPSS Date: 2025-06-05 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: total

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2024-1250
https://gitlab.com/gitlab-org/gitlab/-/issues/439175

Timeline

2025-05-07 21:40:14 UTC
CVE

Privilege Chaining in GitLab