CVE-2018-8971
published 2018-03-24CVE-2018-8971: The Auth0 integration in GitLab before 10.3.9, 10.4.x before 10.4.6, and 10.5.x before 10.5.6 has an incorrect omniauth-auth0 configuration, leading to signing…
PriorityP343critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
1.34%
67.7th percentile
The Auth0 integration in GitLab before 10.3.9, 10.4.x before 10.4.6, and 10.5.x before 10.5.6 has an incorrect omniauth-auth0 configuration, leading to signing in unintended users.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | gitlab | < gitlab 10.5.6+dfsg-1 (sid) | gitlab 10.5.6+dfsg-1 (sid) |
| gitlab | gitlab | <= 10.3.8 | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | 10.4.0 – 10.4.5 | — |
| gitlab | gitlab | 10.5.0 – 10.5.5 | — |
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GitLab
CVE-2018-8971: The Auth0 integration in GitLab before 10.3.9, 10.4.x before 10.4.6, and 10.5.x before 10.5.6 has an incorrect omniauth-auth0 configuration, leading t
vendor_gitlab·2018-03-24·CVSS 9.8
CVE-2018-8971 [CRITICAL] CWE-20 CVE-2018-8971: The Auth0 integration in GitLab before 10.3.9, 10.4.x before 10.4.6, and 10.5.x before 10.5.6 has an incorrect omniauth-auth0 configuration, leading t
CVE-2018-8971: The Auth0 integration in GitLab before 10.3.9, 10.4.x before 10.4.6, and 10.5.x before 10.5.6 has an incorrect omniauth-auth0 configuration, leading to signing in unintended users.
Debian
CVE-2018-8971: gitlab - The Auth0 integration in GitLab before 10.3.9, 10.4.x before 10.4.6, and 10.5.x ...
vendor_debian·2018·CVSS 9.8
CVE-2018-8971 [CRITICAL] CVE-2018-8971: gitlab - The Auth0 integration in GitLab before 10.3.9, 10.4.x before 10.4.6, and 10.5.x ...
The Auth0 integration in GitLab before 10.3.9, 10.4.x before 10.4.6, and 10.5.x before 10.5.6 has an incorrect omniauth-auth0 configuration, leading to signing in unintended users.
Scope: local
sid: resolved (fixed in 10.5.6+dfsg-1)
GHSA
GHSA-8c6r-xvww-2p23: The Auth0 integration in GitLab before 10
ghsa_unreviewed·2022-05-14
CVE-2018-8971 [CRITICAL] CWE-20 GHSA-8c6r-xvww-2p23: The Auth0 integration in GitLab before 10
The Auth0 integration in GitLab before 10.3.9, 10.4.x before 10.4.6, and 10.5.x before 10.5.6 has an incorrect omniauth-auth0 configuration, leading to signing in unintended users.
OSV
CVE-2018-8971: The Auth0 integration in GitLab before 10
osv·2018-03-24·CVSS 9.8
CVE-2018-8971 [CRITICAL] CVE-2018-8971: The Auth0 integration in GitLab before 10
The Auth0 integration in GitLab before 10.3.9, 10.4.x before 10.4.6, and 10.5.x before 10.5.6 has an incorrect omniauth-auth0 configuration, leading to signing in unintended users.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2018-03-24
Published