CVE-2023-1265 — Session Fixation in Gitlab

CWE-384 — Session Fixation CWE-1265 — Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls6 documents6 sources

Severity

4.5MEDIUMNVD

EPSS

0.0%

top 89.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Pimcore Debian Gitlab

Timeline

PublishedMay 3

Description

An issue has been discovered in GitLab affecting all versions starting from 11.9 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. The condition allows for a privileged attacker, under certain conditions, to obtain session tokens from all users of a GitLab instance.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:NExploitability: 0.9 | Impact: 3.6

Affected Packages5 packages

▶NVDgitlab/gitlab11.9 — 15.9.6+2

▶debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)

▶CVEListV5gitlab/gitlab>=11.9, <15.9.6, >=15.10, <15.10.5, >=15.11, <15.11.1+2

▶gitlabgitlab/gitlab

▶Packagistpimcore/pimcore< 10.5.16

🔴Vulnerability Details

GHSA

GHSA-34vw-vvrj-pr33: An issue has been discovered in GitLab affecting all versions starting from 11↗2023-05-03

▶

OSV

CVE-2023-1265: An issue has been discovered in GitLab affecting all versions starting from 11↗2023-05-03

▶

GHSA

SameSite Attribute vulnerability in pimCore↗2023-02-13

▶

📋Vendor Advisories

GitLab

CVE-2023-1265: An issue has been discovered in GitLab affecting all versions starting from 11.9 before 15.9.6, all versions starting from 15.10 before 15.10.5, all v↗2023-05-03

▶

Debian

CVE-2023-1265: gitlab - An issue has been discovered in GitLab affecting all versions starting from 11.9...↗2023

▶