Medium severity5.9OSV Advisory· Published Dec 17, 2017· Updated May 13, 2026

CVE-2017-17716

Description

GitLab 9.4.x before 9.4.2 does not support LDAP SSL certificate verification, but a verify_certificates LDAP option was mentioned in the 9.4 release announcement. This issue occurred because code was not merged. This is related to use of the omniauth-ldap library and the gitlab_omniauth-ldap gem.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

GitLab 9.4.x prior to 9.4.2 fails to verify LDAP SSL certificates, enabling man-in-the-middle attacks against LDAP authentication.

Vulnerability

GitLab 9.4.x versions before 9.4.2 do not perform SSL certificate verification for LDAP connections. The verify_certificates option mentioned in the 9.4 release announcement was not implemented due to missing code merge. The issue stems from the omniauth-ldap library and the gitlab_omniauth-ldap gem, which rely on ruby-net-ldap – that library does not enable TLS certificate verification by default [1].

Exploitation

An attacker with network access between a GitLab instance and its LDAP server can perform a man-in-the-middle (MITM) attack. By presenting a fraudulent SSL certificate, the attacker can intercept or modify LDAP authentication traffic. No special privileges on GitLab or the LDAP server are required; the attacker only needs to be positioned to intercept the connection [1].

Impact

Successful exploitation allows an attacker to impersonate the LDAP server, potentially capturing credentials or authenticating as arbitrary users. This undermines the confidentiality and integrity of LDAP-based authentication and may lead to unauthorized access to GitLab resources [1].

Mitigation

GitLab 9.4.2, released 2017-12-17, addresses the issue by ensuring LDAP SSL certificate verification is enforced. Upgrading to 9.4.2 or later is recommended. No workaround is available for earlier versions [1].

References

GitLab LDAP integration vulnerable to MITM attack (#30420) · Issues · GitLab.org / GitLab FOSS · GitLab

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

GitLab Inc./GitLabOSV
Range: v1.2.0, v1.2.0pre, v1.2.1, …
GitLab Inc./CE/EEllm-fuzzy
Range: >=9.4.0, <9.4.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

gitlab.com/gitlab-org/gitlab-ce/issues/30420nvdIssue TrackingPatchVendor Advisory
about.gitlab.com/2017/07/22/gitlab-9-4-released/nvdIssue TrackingVendor Advisory
about.gitlab.com/2017/07/28/gitlab-9-dot-4-dot-2-released/nvdIssue TrackingVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.384
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000