CVE-2017-0921

Published: Jul 3, 2018Modified: Nov 21, 2024

8.1

Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.2 / Impact: 5.9

Source: NVD

Description

GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an unverified password change issue in the PasswordsController component resulting in potential account takeover if a victim's session is compromised.

Affected (6)

Products: Gitlab: Gitlab

Gitlab

1 product

Gitlab

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Gitlab Gitlab	Before 10.1.6
Gitlab Gitlab	From 10.2.0 to 10.2.6
Gitlab Gitlab	From 10.3.0 to 10.3.4
Gitlab Gitlab	Before 10.1.6
Gitlab Gitlab	From 10.2.0 to 10.2.6
Gitlab Gitlab	From 10.3.0 to 10.3.4

Related CWEs

CWE-640

Weak Password Recovery Mechanism for Forgotten Password

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

References (2)

https://about.gitlab.com/2018/05/29/security-release-gitlab-10-dot-8-dot-2-released/

Source: support@hackerone.com

Vendor Advisory

https://about.gitlab.com/2018/05/29/security-release-gitlab-10-dot-8-dot-2-released/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.