CVE-2023-5332 — Dependency on Vulnerable Third-Party Component in Gitlab

CWE-1395 — Dependency on Vulnerable Third-Party Component CWE-77 — Command Injection6 documents6 sources

Severity

8.1HIGHNVD

EPSS

0.0%

top 94.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Hashicorp Consul Debian Consul

Timeline

PublishedDec 4

Description

Patch in third party library Consul requires 'enable-script-checks' to be set to False. This was required to enable a patch by the vendor. Without this setting the patch could be bypassed. This only affects GitLab-EE.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages5 packages

▶CVEListV5gitlab/gitlab16.4 — 16.4.1

▶NVDgitlab/gitlab9.5.0 — 16.2.8+2

▶NVDhashicorp/consul1.0.0 — 1.0.8+3

▶debiandebian/consul

▶gitlabgitlab/gitlab

Patches

Patch: www.hashicorp.com ↗Patch: www.hashicorp.com ↗

🔴Vulnerability Details

GHSA

GHSA-xcgm-v273-44cr: Patch in third party library Consul requires 'enable-script-checks' to be set to False↗2023-12-04

▶

OSV

CVE-2023-5332: Patch in third party library Consul requires 'enable-script-checks' to be set to False↗2023-12-04

▶

📋Vendor Advisories

Red Hat

consul: Command injection through script checks option↗2023-12-04

▶

GitLab

CVE-2023-5332: Patch in third party library Consul requires 'enable-script-checks' to be set to False. This was required to enable a patch by the vendor. Without thi↗2023-12-04

▶

Debian

CVE-2023-5332: consul - Patch in third party library Consul requires 'enable-script-checks' to be set to...↗2023

▶