CVE-2023-3907 — Incorrect User Management in Gitlab

CWE-286 — Incorrect User Management CWE-269 — Improper Privilege Management5 documents5 sources

Severity

8.8HIGHNVD

EPSS

0.0%

top 92.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab EE

Timeline

PublishedDec 17

Latest updateDec 18

Description

A privilege escalation vulnerability in GitLab EE affecting all versions from 16.0 prior to 16.4.4, 16.5 prior to 16.5.4, and 16.6 prior to 16.6.2 allows a project Maintainer to use a Project Access Token to escalate their role to Owner

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages5 packages

▶CVEListV5gitlab/gitlab16.0 — 16.4.4

▶NVDgitlab/gitlab16.0.0 — 16.4.4+2

▶debiandebian/gitlab

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ee

🔴Vulnerability Details

GHSA

GHSA-hmrg-q92x-qw2x: A privilege escalation vulnerability in GitLab EE affecting all versions from 16↗2023-12-18

▶

OSV

CVE-2023-3907: A privilege escalation vulnerability in GitLab EE affecting all versions from 16↗2023-12-17

▶

📋Vendor Advisories

GitLab

CVE-2023-3907: A privilege escalation vulnerability in GitLab EE affecting all versions from 16.0 prior to 16.4.4, 16.5 prior to 16.5.4, and 16.6 prior to 16.6.2 all↗2023-12-17

▶

Debian

CVE-2023-3907: gitlab - A privilege escalation vulnerability in GitLab EE affecting all versions from 16...↗2023

▶