CVE-2016-4340
published 2017-01-23CVE-2016-4340: The impersonate feature in Gitlab 8.7.0, 8.6.0 through 8.6.7, 8.5.0 through 8.5.11, 8.4.0 through 8.4.9, 8.3.0 through 8.3.8, and 8.2.0 through 8.2.4 allows…
PriorityP260high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
10.14%
95.1th percentile
The impersonate feature in Gitlab 8.7.0, 8.6.0 through 8.6.7, 8.5.0 through 8.5.11, 8.4.0 through 8.4.9, 8.3.0 through 8.3.8, and 8.2.0 through 8.2.4 allows remote authenticated users to "log in" as any other user via unspecified vectors.
Affected
47 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 8.8.2+dfsg-1 (sid) | gitlab 8.8.2+dfsg-1 (sid) |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for POST requests to /admin/users/stop_impersonation from non-admin user sessions. A regular (non-admin) authenticated user issuing this request is a strong indicator of CVE-2016-4340 exploitation. ↗
- →Alert on _method=delete parameter paired with authenticity_token in POST body to the /admin/users/stop_impersonation endpoint, especially when the requesting session belongs to a non-privileged user. ↗
- →Any registered user can impersonate any other user including administrators; audit GitLab session logs for unexpected privilege changes or admin-level actions performed by low-privilege accounts. ↗
- ·Affected GitLab versions are 8.2.0–8.2.4, 8.3.0–8.3.8, 8.4.0–8.4.9, 8.5.0–8.5.11, 8.6.0–8.6.7, and 8.7.0. The Debian fix was introduced in 8.8.2+dfsg-1. Ensure instances are patched beyond these ranges. ↗
- ·The exploit requires the attacker to first be authenticated as a regular user and obtain a valid CSRF authenticity_token from any POST request (e.g., a profile update). Detection rules should account for this token-harvesting step. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rxh8-jh3g-ccqq: The impersonate feature in Gitlab 8
ghsa_unreviewed·2022-05-17
CVE-2016-4340 [HIGH] GHSA-rxh8-jh3g-ccqq: The impersonate feature in Gitlab 8
The impersonate feature in Gitlab 8.7.0, 8.6.0 through 8.6.7, 8.5.0 through 8.5.11, 8.4.0 through 8.4.9, 8.3.0 through 8.3.8, and 8.2.0 through 8.2.4 allows remote authenticated users to "log in" as any other user via unspecified vectors.
OSV
CVE-2016-4340: The impersonate feature in Gitlab 8
osv·2017-01-23·CVSS 8.8
CVE-2016-4340 [HIGH] CVE-2016-4340: The impersonate feature in Gitlab 8
The impersonate feature in Gitlab 8.7.0, 8.6.0 through 8.6.7, 8.5.0 through 8.5.11, 8.4.0 through 8.4.9, 8.3.0 through 8.3.8, and 8.2.0 through 8.2.4 allows remote authenticated users to "log in" as any other user via unspecified vectors.
GitLab
CVE-2016-4340: The impersonate feature in Gitlab 8.7.0, 8.6.0 through 8.6.7, 8.5.0 through 8.5.11, 8.4.0 through 8.4.9, 8.3.0 through 8.3.8, and 8.2.0 through 8.2.4
vendor_gitlab·2017-01-23·CVSS 8.8
CVE-2016-4340 [HIGH] CWE-264 CVE-2016-4340: The impersonate feature in Gitlab 8.7.0, 8.6.0 through 8.6.7, 8.5.0 through 8.5.11, 8.4.0 through 8.4.9, 8.3.0 through 8.3.8, and 8.2.0 through 8.2.4
CVE-2016-4340: The impersonate feature in Gitlab 8.7.0, 8.6.0 through 8.6.7, 8.5.0 through 8.5.11, 8.4.0 through 8.4.9, 8.3.0 through 8.3.8, and 8.2.0 through 8.2.4 allows remote authenticated users to "log in" as any other user via unspecified vectors.
Debian
CVE-2016-4340: gitlab - The impersonate feature in Gitlab 8.7.0, 8.6.0 through 8.6.7, 8.5.0 through 8.5....
vendor_debian·2016·CVSS 8.8
CVE-2016-4340 [HIGH] CVE-2016-4340: gitlab - The impersonate feature in Gitlab 8.7.0, 8.6.0 through 8.6.7, 8.5.0 through 8.5....
The impersonate feature in Gitlab 8.7.0, 8.6.0 through 8.6.7, 8.5.0 through 8.5.11, 8.4.0 through 8.4.9, 8.3.0 through 8.3.8, and 8.2.0 through 8.2.4 allows remote authenticated users to "log in" as any other user via unspecified vectors.
Scope: local
sid: resolved (fixed in 8.8.2+dfsg-1)
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/138368/GitLab-Impersonate-Privilege-Escalation.htmlhttps://about.gitlab.com/2016/05/02/cve-2016-4340-patches/https://gitlab.com/gitlab-org/gitlab-ce/issues/15548https://www.exploit-db.com/exploits/40236/http://packetstormsecurity.com/files/138368/GitLab-Impersonate-Privilege-Escalation.htmlhttps://about.gitlab.com/2016/05/02/cve-2016-4340-patches/https://gitlab.com/gitlab-org/gitlab-ce/issues/15548https://www.exploit-db.com/exploits/40236/
2017-01-23
Published