CVE-2023-5106

Published: Oct 2, 2023Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

An issue has been discovered in Ultimate-licensed GitLab EE affecting all versions starting 13.12 prior to 16.2.8, 16.3.0 prior to 16.3.5, and 16.4.0 prior to 16.4.1 that could allow an attacker to impersonate users in CI pipelines through direct transfer group imports.

Affected (3)

Products: Gitlab: Gitlab

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Gitlab Gitlab	From 13.12 to 16.2.8
Gitlab Gitlab	From 16.3.0 to 16.3.5
Gitlab Gitlab	Version 16.4.0

Related CWEs

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (3)

https://gitlab.com/gitlab-org/gitlab/-/commit/67039cfcae80b8fc0496f79be88714873cd169b3

Source: cve@gitlab.com

Patch

https://gitlab.com/gitlab-org/security/gitlab/-/issues/980

Source: cve@gitlab.com

https://gitlab.com/gitlab-org/gitlab/-/commit/67039cfcae80b8fc0496f79be88714873cd169b3

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

Timeline

No history available yet.