CVE-2023-7045 — Cross-Site Request Forgery in Gitlab

CWE-352 — Cross-Site Request Forgery6 documents6 sources

Severity

6.1MEDIUMNVD

EPSS

0.1%

top 65.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE

Timeline

PublishedMay 23

Description

A CSRF vulnerability exists within GitLab CE/EE from versions 13.11 before 16.10.6, from 16.11 before 16.11.3, from 17.0 before 17.0.1. By leveraging this vulnerability, an attacker could exfiltrate anti-CSRF tokens via the Kubernetes Agent Server (KAS).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages5 packages

▶CVEListV5gitlab/gitlab13.11 — 16.10.6+2

▶NVDgitlab/gitlab13.11.0 — 16.10.6+2

▶debiandebian/gitlab< gitlab 17.3.5-2 (sid)

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

OSV

CVE-2023-7045: A CSRF vulnerability exists within GitLab CE/EE from versions 13↗2024-05-23

▶

GHSA

GHSA-mmc8-x8mq-826c: A CSRF vulnerability exists within GitLab CE/EE from versions 13↗2024-05-23

▶

📋Vendor Advisories

GitLab

CVE-2023-7045: A CSRF vulnerability exists within GitLab CE/EE from versions 13.11 before 16.10.6, from 16.11 before 16.11.3, from 17.0 before 17.0.1. By leveraging↗2024-05-23

▶

Debian

CVE-2023-7045: gitlab - A CSRF vulnerability exists within GitLab CE/EE from versions 13.11 before 16.10...↗2023

▶

🕵️Threat Intelligence

Bleepingcomputer

High-severity GitLab flaw lets attackers take over accounts↗2024-05-23

▶