CVE-2024-9870: Unintended Proxy or Intermediary ('Confused Deputy') in GitLab
First published: Wed Feb 12 2025(Updated: )
An external service interaction vulnerability in GitLab EE affecting all versions from 15.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to send requests from the GitLab server to unintended services.
Credit: cve@gitlab.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GitLab Enterprise Edition | >=15.11<17.6.5>=17.7<17.7.4>=17.8<17.8.2 |
Remedy
Upgrade to versions 17.8.2, 17.7.4, 17.6.5 or above.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-9870?
CVE-2024-9870 is classified as a vulnerability that poses a risk of external service interaction.
How do I fix CVE-2024-9870?
To mitigate CVE-2024-9870, upgrade GitLab EE to versions 17.6.5, 17.7.4, or 17.8.2 or later.
What versions are affected by CVE-2024-9870?
CVE-2024-9870 affects all GitLab EE versions from 15.11 up to but not including 17.6.5, 17.7 up to but not including 17.7.4, and 17.8 up to but not including 17.8.2.
What type of vulnerability is CVE-2024-9870?
CVE-2024-9870 is an external service interaction vulnerability.
Who is impacted by CVE-2024-9870?
All users of GitLab EE versions from 15.11 to versions prior to 17.6.5, 17.7.4, and 17.8.2 are impacted by CVE-2024-9870.
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/weakness
- agent/remedy
- agent/title
- agent/description
- agent/type
- agent/first-publish-date
- agent/guess-ai
- agent/software-canonical-lookup
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/author
- agent/last-modified-date
- agent/severity
- agent/source
- agent/tags
- agent/event
- vendor/gitlab
- canonical/gitlab enterprise edition