CVE-2025-2498 — Insufficient Granularity of Access Control in Gitlab

CWE-1220 — Insufficient Granularity of Access Control CWE-824 — Access of Uninitialized Pointer6 documents6 sources

Severity

4.3MEDIUMNVD

EPSS

0.0%

top 98.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab EE

Timeline

PublishedAug 13

Description

An improper access control in Gitlab EE affecting all versions from 12.0 prior to 18.0.6, 18.1 prior to 18.1.4, and 18.2 prior to 18.2.2 that under certain conditions could have allowed users to view assigned issues from restricted groups by bypassing IP restrictions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages5 packages

▶CVEListV5gitlab/gitlab12.0 — 18.0.6+2

▶NVDgitlab/gitlab12.0.0 — 18.0.6+2

▶debiandebian/gitlab

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ee

🔴Vulnerability Details

OSV

CVE-2025-2498: An improper access control in Gitlab EE affecting all versions from 12↗2025-08-13

▶

GHSA

GHSA-vcvr-9mwv-w2g3: An improper access control in Gitlab EE affecting all versions from 12↗2025-08-13

▶

📋Vendor Advisories

GitLab

CVE-2025-2498: An improper access control in Gitlab EE affecting all versions from 12.0 prior to 18.0.6, 18.1 prior to 18.1.4, and 18.2 prior to 18.2.2 that under ce↗2025-08-13

▶

Debian

CVE-2025-2498: gitlab - An improper access control in Gitlab EE affecting all versions from 12.0 prior t...↗2025

▶