← Back

CVE-2023-3915

nvd nist
Published: Sep 1, 2023Modified: Nov 21, 2024

JSON object

Loading...
7.2
Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Exploitability: 1.2 / Impact: 5.9
Source: NVD

Description

An issue has been discovered in GitLab EE affecting all versions starting from 16.1 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. If an external user is given an owner role on any group, that external user may escalate their privileges on the instance by creating a service account in that group. This service account is not classified as external and may be used to access internal projects.

Affected (6)

Products: Gitlab: Gitlab
Gitlab
1 product
Gitlab
Configuration A
6 vulnerable
Vulnerable SoftwareAffected Versions
Gitlab
Gitlab
From 16.1.0 to 16.1.5
Gitlab
From 16.2 to 16.2.5
Gitlab
From 16.1.0 to 16.1.5
Gitlab
From 16.2 to 16.2.5
Gitlab
Version 16.3.0
Gitlab
Version 16.3.0

Related CWEs

CWE-279
Incorrect Execution-Assigned Permissions
While it is executing, the product sets the permissions of an object in a way that violates the intended permissions that have been specified by the user.
CWE-732
Incorrect Permission Assignment for Critical Resource
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References (4)

Source: cve@gitlab.com
Broken Link
Source: cve@gitlab.com
Permissions Required
Source: af854a3a-2127-422b-91ae-364da2661108
Broken Link
Source: af854a3a-2127-422b-91ae-364da2661108
Permissions Required

Timeline

No history available yet.