Lucene search

K
cve[email protected]CVE-2023-3511
HistoryDec 15, 2023 - 4:15 p.m.

CVE-2023-3511

2023-12-1516:15:43
CWE-284
web.nvd.nist.gov
23
cve-2023-3511
gitlab ee
security vulnerability
auditor user
merge request
private project

3.5 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

3.5 Low

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

14.0%

An issue has been discovered in GitLab EE affecting all versions starting from 8.17 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. It was possible for auditor users to fork and submit merge requests to private projects they’re not a member of.

Affected configurations

NVD
Node
gitlabgitlabRange8.17–16.4.4enterprise
OR
gitlabgitlabRange16.5–16.5.4enterprise
OR
gitlabgitlabRange16.6–16.6.2enterprise

CNA Affected

[
  {
    "vendor": "GitLab",
    "product": "GitLab",
    "repo": "git://[email protected]:gitlab-org/gitlab.git",
    "versions": [
      {
        "version": "8.17",
        "status": "affected",
        "lessThan": "16.4.4",
        "versionType": "semver"
      },
      {
        "version": "16.5",
        "status": "affected",
        "lessThan": "16.5.4",
        "versionType": "semver"
      },
      {
        "version": "16.6",
        "status": "affected",
        "lessThan": "16.6.2",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

3.5 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

3.5 Low

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

14.0%