CVE-2024-9870
Published: 12 February 2025
Summary
CVE-2024-9870 is a medium-severity Confused Deputy (CWE-441) vulnerability in Gitlab Gitlab. Its CVSS base score is 4.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely flaw remediation, directly mitigating this SSRF vulnerability by patching GitLab to fixed versions like 17.6.5 or later.
SC-7 monitors and controls communications at system boundaries, blocking or detecting unauthorized outbound requests from the GitLab server to unintended services.
SI-10 validates information inputs, preventing low-privileged attackers from supplying SSRF payloads that trick the GitLab server into external service interactions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF vulnerability (CWE-918) in public-facing GitLab web application directly enables exploitation of the app to force unauthorized outbound requests.
NVD Description
An external service interaction vulnerability in GitLab EE affecting all versions from 15.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to send requests from the GitLab server to unintended services.
Deeper analysisAI
CVE-2024-9870 is an external service interaction vulnerability in GitLab Enterprise Edition (EE), affecting all versions from 15.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2. Classified under CWE-441 (Unintended Proxy or Intermediary) and CWE-918 (Server-Side Request Forgery), it allows an attacker to cause the GitLab server to send requests to unintended services. The vulnerability received a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) and was published on 2025-02-12.
A low-privileged authenticated user (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation tricks the GitLab server into making unauthorized outbound requests to external services, resulting in low confidentiality impact (C:L) within the unchanged security scope (S:U), with no integrity or availability effects.
Mitigation requires upgrading to GitLab EE 17.6.5, 17.7.4, 17.8.2, or later versions, as indicated by the affected version ranges. Official advisories are available in the GitLab issue tracker at https://gitlab.com/gitlab-org/gitlab/-/issues/498911 and the HackerOne disclosure report at https://hackerone.com/reports/2734142.
Details
- CWE(s)