Severity
Medium
Analysis Summary
CVE-2025-2938 CVSS:3.1
An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users to gain elevated project privileges by requesting access to projects where role modifications during the approval process resulted in unintended permission grants.
CVE-2025-3279 CVSS:6.5
An issue has been discovered in GitLab CE/EE affecting all versions from 10.7 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated attackers to create a DoS condition by sending crafted GraphQL requests.
CVE-2025-5315 CVSS:4.3
An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users with Guest role permissions to add child items to incident work items by sending crafted API requests that bypassed UI-enforced role restrictions.
CVE-2025-5846 CVSS:2.7
An issue has been discovered in GitLab EE affecting all versions from 16.10 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users to assign unrelated compliance frameworks to projects by sending crafted GraphQL mutations that bypassed framework-specific permission checks.
Impact
- Denial of Service
- Gain Access
- Privilege Escalation
Indicators of Compromise
CVE
CVE-2025-2938
CVE-2025-3279
CVE-2025-5315
CVE-2025-5846
Affected Vendors
- GitLab
Affected Products
- GitLab 17.2
- GitLab 18.0
- GitLab 10.7
- GitLab 16.10
- GitLab 17.3
- GitLab 18.1
Remediation
Refer to GitLab Website for patch, upgrade, or suggested workaround information.