CVE-2024-5257

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 17.0 through 17.0.3 GitLab CE/EE versions 17.1 through 17.1.1

Description The issue is related to insufficient access control in the admin compliance framework function of the Group Namespace URL Handler component in GitLab. This could allow a remote attacker to modify the URL for a group namespace. The vulnerability affects Developer users with the admin compliance framework custom role.

Recommendations For GitLab CE/EE versions 17.0 through 17.0.3, update to version 17.0.4 or later to resolve the issue. For GitLab CE/EE versions 17.1 through 17.1.1, update to version 17.1.2 or later to resolve the issue. As a temporary workaround, consider restricting the admin compliance framework custom role for Developer users until a patch is applied.