cbcvebase.
CVE-2016-4340
published 2017-01-23

CVE-2016-4340: The impersonate feature in Gitlab 8.7.0, 8.6.0 through 8.6.7, 8.5.0 through 8.5.11, 8.4.0 through 8.4.9, 8.3.0 through 8.3.8, and 8.2.0 through 8.2.4 allows…

PriorityP260high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
10.14%
95.1th percentile
The impersonate feature in Gitlab 8.7.0, 8.6.0 through 8.6.7, 8.5.0 through 8.5.11, 8.4.0 through 8.4.9, 8.3.0 through 8.3.8, and 8.2.0 through 8.2.4 allows remote authenticated users to "log in" as any other user via unspecified vectors.

Affected

47 ranges· showing 25
VendorProductVersion rangeFixed in
debiangitlab< gitlab 8.8.2+dfsg-1 (sid)gitlab 8.8.2+dfsg-1 (sid)
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /admin/users/stop_impersonation?id=root
path/admin/users/stop_impersonation
  • Monitor for POST requests to /admin/users/stop_impersonation from non-admin user sessions. A regular (non-admin) authenticated user issuing this request is a strong indicator of CVE-2016-4340 exploitation.
  • Alert on _method=delete parameter paired with authenticity_token in POST body to the /admin/users/stop_impersonation endpoint, especially when the requesting session belongs to a non-privileged user.
  • Any registered user can impersonate any other user including administrators; audit GitLab session logs for unexpected privilege changes or admin-level actions performed by low-privilege accounts.
  • ·Affected GitLab versions are 8.2.0–8.2.4, 8.3.0–8.3.8, 8.4.0–8.4.9, 8.5.0–8.5.11, 8.6.0–8.6.7, and 8.7.0. The Debian fix was introduced in 8.8.2+dfsg-1. Ensure instances are patched beyond these ranges.
  • ·The exploit requires the attacker to first be authenticated as a regular user and obtain a valid CSRF authenticity_token from any POST request (e.g., a profile update). Detection rules should account for this token-harvesting step.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.