CVE-2023-3115 — Incorrect User Management in Gitlab

CWE-286 — Incorrect User Management CWE-284 — Improper Access Control CWE-628 — Function Call with Incorrectly Specified Arguments5 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.0%

top 88.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab EE

Timeline

PublishedSep 29

Description

An issue has been discovered in GitLab EE affecting all versions affecting all versions from 11.11 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. Single Sign On restrictions were not correctly enforced for indirect project members accessing public members-only project repositories.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages5 packages

▶CVEListV5gitlab/gitlab16.3 — 16.3.5+1

▶NVDgitlab/gitlab11.11 — 16.2.8+2

▶debiandebian/gitlab

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ee

🔴Vulnerability Details

GHSA

GHSA-5x88-x3vg-442p: An issue has been discovered in GitLab EE affecting all versions affecting all versions from 11↗2023-09-29

▶

📋Vendor Advisories

GitLab

CVE-2023-3115: An issue has been discovered in GitLab EE affecting all versions affecting all versions from 11.11 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 pri↗2023-09-29

▶

Debian

CVE-2023-3115: gitlab - An issue has been discovered in GitLab EE affecting all versions affecting all v...↗2023

▶