CVE-2023-1417

Published: Apr 5, 2023Modified: Feb 11, 2025

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

An issue has been discovered in GitLab affecting all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible for an unauthorised user to add child epics linked to victim's epic in an unrelated group.

Affected (4)

Products: Gitlab: Gitlab

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Gitlab Gitlab	From 15.9.0 to 15.9.4
Gitlab Gitlab	From 15.9.0 to 15.9.4
Gitlab Gitlab	Version 15.10.0
Gitlab Gitlab	Version 15.10.0

Related CWEs

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (6)

https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-1417.json

Source: cve@gitlab.com

Vendor Advisory

https://gitlab.com/gitlab-org/gitlab/-/issues/396720

Source: cve@gitlab.com

Broken Link

https://hackerone.com/reports/1892200

Source: cve@gitlab.com

Permissions Required

https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-1417.json

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://gitlab.com/gitlab-org/gitlab/-/issues/396720

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

https://hackerone.com/reports/1892200

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions Required

Timeline

No history available yet.