CVE-2017-0882 — Authorization Bypass Through User-Controlled Key in Gitlab

CWE-639 — Authorization Bypass Through User-Controlled Key CWE-200 — Sensitive Information Exposure4 documents4 sources

Severity

6.3MEDIUMNVD

EPSS

0.2%

top 60.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Gitlab Gitlab

Timeline

PublishedMar 28

Latest updateMay 13

Description

Multiple versions of GitLab expose sensitive user credentials when assigning a user to an issue or merge request. A fix was included in versions 8.15.8, 8.16.7, and 8.17.4, which were released on March 20th 2017 at 23:59 UTC.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:LExploitability: 2.8 | Impact: 3.4

Affected Packages3 packages

▶debiandebian/gitlab< gitlab 8.13.11+dfsg-7 (sid)

▶NVDgitlab/gitlab59 versions+58

▶gitlabgitlab/gitlab

Patches

Patch: gitlab.com ↗Patch: gitlab.com ↗Patch: gitlab.com ↗

🔴Vulnerability Details

GHSA

GHSA-qgwf-v74m-338m: Multiple versions of GitLab expose sensitive user credentials when assigning a user to an issue or merge request↗2022-05-13

▶

📋Vendor Advisories

GitLab

CVE-2017-0882: Multiple versions of GitLab expose sensitive user credentials when assigning a user to an issue or merge request. A fix was included in versions 8.15.↗2017-03-28

▶

Debian

CVE-2017-0882: gitlab - Multiple versions of GitLab expose sensitive user credentials when assigning a u...↗2017

▶