CVE-2017-0920

CWE-639Insecure Direct Object ReferenceCWE-863Incorrect Authorization6 documents6 sources
Severity
4.3MEDIUM
EPSS
0.1%
top 73.73%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Gitlab GitlabGitlab Gitlab Community AND Enterprise Editions
Timeline
PublishedMar 22
Latest updateMay 13

Description

GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an authorization bypass issue in the Projects::MergeRequests::CreationsController component resulting in an attacker to see every project name and their respective namespace on a GitLab instance.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

CVEListV5gitlab/gitlab_community_and_enterprise_editionsVersions before 10.1.6, 10.2.6, and 10.3.4
NVDgitlab/gitlab8.8.010.1.5+5

🔴Vulnerability Details

2
GHSA
GHSA-vg8q-6f88-6vrh: GitLab Community and Enterprise Editions before 102022-05-13
CVEList
CVE-2017-0920: GitLab Community and Enterprise Editions before 102018-03-22

📋Vendor Advisories

2
GitLab
CVE-2017-0920: GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an authorization bypass issue in the Projects::MergeReque2018-03-22
Debian
CVE-2017-0920: gitlab - GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are v...2017

💬Community

1
Bugzilla
CVE-2017-2668 389-ds-base: Remote crash via crafted LDAP messages2017-03-28
CVE-2017-0920 (MEDIUM CVSS 4.3) | GitLab Community and Enterprise Edi | cvebase.io