CVE-2023-5009

Published: Sep 19, 2023Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

An issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.2.7, all versions starting from 16.3 before 16.3.4. It was possible for an attacker to run pipeline jobs as an arbitrary user via scheduled security scan policies. This was a bypass of [CVE-2023-3932](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3932) showing additional impact.

Affected (2)

Products: Gitlab: Gitlab

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Gitlab Gitlab	From 13.12 to 16.2.7
Gitlab Gitlab	From 16.3 to 16.3.4

Related CWEs

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (4)

https://gitlab.com/gitlab-org/gitlab/-/issues/425304

Source: cve@gitlab.com

Broken Link

https://hackerone.com/reports/2147126

Source: cve@gitlab.com

Permissions Required

https://gitlab.com/gitlab-org/gitlab/-/issues/425304

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

https://hackerone.com/reports/2147126

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions Required

Timeline

No history available yet.