← Back

CVE-2023-2478

nvd nist
Published: May 8, 2023Modified: Jan 29, 2025

JSON object

Loading...
6.5
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Exploitability: 2.8 / Impact: 3.6
Source: NVD

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.9.7, all versions starting from 15.10 before 15.10.6, all versions starting from 15.11 before 15.11.2. Under certain conditions, a malicious unauthorized GitLab user may use a GraphQL endpoint to attach a malicious runner to any project.

Affected (6)

Products: Gitlab: Gitlab
Gitlab
1 product
Gitlab
Configuration A
6 vulnerable
Vulnerable SoftwareAffected Versions
Gitlab
Gitlab
From 15.10.0 to 15.10.6
Gitlab
From 15.11.0 to 15.11.2
Gitlab
From 15.4.0 to 15.9.7
Gitlab
From 15.10.0 to 15.10.6
Gitlab
From 15.11.0 to 15.11.2
Gitlab
From 15.4.0 to 15.9.7

Related CWEs

CWE-732
Incorrect Permission Assignment for Critical Resource
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References (7)

Source: cve@gitlab.com
Vendor Advisory
Source: cve@gitlab.com
Broken Link
Source: cve@gitlab.com
Permissions Required
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Broken Link
Source: af854a3a-2127-422b-91ae-364da2661108
Permissions Required
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Broken Link

Timeline

No history available yet.