CVE-2023-5207 — Execution with Unnecessary Privileges in Gitlab

CWE-250 — Execution with Unnecessary Privileges CWE-284 — Improper Access Control6 documents6 sources

Severity

8.8HIGHNVD

EPSS

0.3%

top 43.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE

Timeline

PublishedSep 30

Description

A vulnerability was discovered in GitLab CE and EE affecting all versions starting 16.0 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. An authenticated attacker could perform arbitrary pipeline execution under the context of another user.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages5 packages

▶CVEListV5gitlab/gitlab16.4 — 16.4.1+1

▶NVDgitlab/gitlab16.0.0 — 16.2.8+2

▶debiandebian/gitlab< gitlab 16.4.4+ds2-2 (sid)

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

OSV

CVE-2023-5207: A vulnerability was discovered in GitLab CE and EE affecting all versions starting 16↗2023-09-30

▶

GHSA

GHSA-m4hq-98c3-4xmx: A vulnerability was discovered in GitLab CE and EE affecting all versions starting 16↗2023-09-30

▶

📋Vendor Advisories

GitLab

CVE-2023-5207: A vulnerability was discovered in GitLab CE and EE affecting all versions starting 16.0 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.↗2023-09-30

▶

Red Hat

gitlab: Improper Authorization for Pipeline Execution↗2023-09-30

▶

Debian

CVE-2023-5207: gitlab - A vulnerability was discovered in GitLab CE and EE affecting all versions starti...↗2023

▶