CVE-2023-5207
published 2023-09-30CVE-2023-5207: A vulnerability was discovered in GitLab CE and EE affecting all versions starting 16.0 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. An…
PriorityP352high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.09%
61.3th percentile
A vulnerability was discovered in GitLab CE and EE affecting all versions starting 16.0 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. An authenticated attacker could perform arbitrary pipeline execution under the context of another user.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 16.4.4+ds2-2 (sid) | gitlab 16.4.4+ds2-2 (sid) |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | >= 16.0.0 < 16.2.8 | 16.2.8 |
| gitlab | gitlab | >= 16.3 < 16.3.5 | 16.3.5 |
| gitlab | gitlab | >= 16.3.0 < 16.3.5 | 16.3.5 |
| gitlab | gitlab | >= 16.4 < 16.4.1 | 16.4.1 |
| gitlab | gitlab_ce | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.2HIGH
vendor_redhat8.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2023-5207: A vulnerability was discovered in GitLab CE and EE affecting all versions starting 16
osv·2023-09-30·CVSS 8.8
CVE-2023-5207 [HIGH] CVE-2023-5207: A vulnerability was discovered in GitLab CE and EE affecting all versions starting 16
A vulnerability was discovered in GitLab CE and EE affecting all versions starting 16.0 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. An authenticated attacker could perform arbitrary pipeline execution under the context of another user.
GHSA
GHSA-m4hq-98c3-4xmx: A vulnerability was discovered in GitLab CE and EE affecting all versions starting 16
ghsa_unreviewed·2023-09-30
CVE-2023-5207 [HIGH] CWE-250 GHSA-m4hq-98c3-4xmx: A vulnerability was discovered in GitLab CE and EE affecting all versions starting 16
A vulnerability was discovered in GitLab CE and EE affecting all versions starting 16.0 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. An authenticated attacker could perform arbitrary pipeline execution under the context of another user.
GitLab
CVE-2023-5207: A vulnerability was discovered in GitLab CE and EE affecting all versions starting 16.0 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.
vendor_gitlab·2023-09-30·CVSS 8.2
CVE-2023-5207 [HIGH] CWE-250 CVE-2023-5207: A vulnerability was discovered in GitLab CE and EE affecting all versions starting 16.0 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.
CVE-2023-5207: A vulnerability was discovered in GitLab CE and EE affecting all versions starting 16.0 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. An authenticated attacker could perform arbitrary pipeline execution under the context of another user.
Red Hat
gitlab: Improper Authorization for Pipeline Execution
vendor_redhat·2023-09-30·CVSS 8.2
CVE-2023-5207 [HIGH] CWE-284 gitlab: Improper Authorization for Pipeline Execution
gitlab: Improper Authorization for Pipeline Execution
A vulnerability was discovered in GitLab CE and EE affecting all versions starting 16.0 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. An authenticated attacker could perform arbitrary pipeline execution under the context of another user.
Statement: The GitLab package used in OpenShift is a GitLab API NodeJS library which is not affected by CVE-2023-5207.
Package: openshift4/ose-console (Red Hat OpenShift Container Platform 4) - Not affected
Debian
CVE-2023-5207: gitlab - A vulnerability was discovered in GitLab CE and EE affecting all versions starti...
vendor_debian·2023·CVSS 8.2
CVE-2023-5207 [HIGH] CVE-2023-5207: gitlab - A vulnerability was discovered in GitLab CE and EE affecting all versions starti...
A vulnerability was discovered in GitLab CE and EE affecting all versions starting 16.0 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. An authenticated attacker could perform arbitrary pipeline execution under the context of another user.
Scope: local
sid: resolved (fixed in 16.4.4+ds2-2)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-09-30
Published