ByteOS Network

CVE Vulnerability Details :

CVE-2025-2498

PUBLISHED

More Info Official Page

Assigner-GitLab

Assigner Org ID-ceab7361-8a18-47b1-92ba-4d7d25f6715a

Published At-13 Aug, 2025 | 17:27

Updated At-13 Aug, 2025 | 20:02

▼CVE Numbering Authority (CNA)

Insufficient Granularity of Access Control in GitLab

An improper access control in Gitlab EE affecting all versions from 12.0 prior to 18.0.6, 18.1 prior to 18.1.4, and 18.2 prior to 18.2.2 that under certain conditions could have allowed users to view assigned issues from restricted groups by bypassing IP restrictions.

Affected Products

Vendor

GitLab Inc.

Product

GitLab

Repo

git://git@gitlab.com:gitlab-org/gitlab.git

CPEs

cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*

Default Status

unaffected

Versions

Affected

From 12.0 before 18.0.6 (semver)
From 18.1 before 18.1.4 (semver)
From 18.2 before 18.2.2 (semver)

Problem Types

Type	CWE ID	Description
CWE	CWE-1220	CWE-1220: Insufficient Granularity of Access Control

Metrics

Version	Base score	Base severity	Vector
3.1	3.1	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Solutions

Upgrade to versions 18.0.6, 18.1.4, 18.2.2 or above.

Credits

finder

Thanks [rogerace](https://hackerone.com/rogerace) for reporting this vulnerability through our HackerOne bug bounty program

References

Hyperlink	Resource
https://gitlab.com/gitlab-org/gitlab/-/issues/525515	issue-tracking permissions-required
https://hackerone.com/reports/3037722	technical-description exploit permissions-required

▼Authorized Data Publishers (ADP)

CISA ADP Vulnrichment

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References