CVE-2024-7296: Incorrect Authorization in GitLab

2.7 CVSS

Description

An issue was discovered in GitLab EE affecting all versions from 16.5 prior to 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2 which allowed a user with a custom permission to approve pending membership requests beyond the maximum number of allowed users.

Classification

CVE ID: CVE-2024-7296

CVSS Base Severity: LOW

CVSS Base Score: 2.7

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Problem Types

CWE-863: Incorrect Authorization

Affected Products

Vendor: GitLab

Product: GitLab

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.01% (probability of being exploited)

EPSS Percentile: 0.7% (scored less or equal to compared to others)

EPSS Date: 2025-04-11 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-7296
https://gitlab.com/gitlab-org/gitlab/-/issues/475056
https://hackerone.com/reports/2602274

Timeline

2025-03-13 07:40:14 UTC
CVE

Incorrect Authorization in GitLab