CVE-2017-11437 — Incorrect Permission Assignment in Gitlab

CWE-732 — Incorrect Permission Assignment4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 74.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab

Timeline

PublishedAug 2

Latest updateMay 13

Description

GitLab Enterprise Edition (EE) before 8.17.7, 9.0.11, 9.1.8, 9.2.8, and 9.3.8 allows an authenticated user with the ability to create a project to use the mirroring feature to potentially read repositories belonging to other users.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDgitlab/gitlab175 versions+174

▶debiandebian/gitlab

▶gitlabgitlab/gitlab

🔴Vulnerability Details

GHSA

GHSA-8g4p-8m3f-hfqx: GitLab Enterprise Edition (EE) before 8↗2022-05-13

▶

📋Vendor Advisories

GitLab

CVE-2017-11437: GitLab Enterprise Edition (EE) before 8.17.7, 9.0.11, 9.1.8, 9.2.8, and 9.3.8 allows an authenticated user with the ability to create a project to use↗2017-08-02

▶

Debian

CVE-2017-11437: gitlab - GitLab Enterprise Edition (EE) before 8.17.7, 9.0.11, 9.1.8, 9.2.8, and 9.3.8 al...↗2017

▶