CVE-2023-5207 Improper Access Control in GitLab

2023-09-3008:30:30

CWE-284

GitLab

www.cve.org

gitlab

vulnerability

cve-2023-5207

improper access control

pipeline execution

authenticated attacker

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

8.6 High

AI Score

Confidence

High

0.019 Low

EPSS

Percentile

88.5%

JSON

A vulnerability was discovered in GitLab CE and EE affecting all versions starting 16.0 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. An authenticated attacker could perform arbitrary pipeline execution under the context of another user.

CNA Affected

[
  {
    "vendor": "GitLab",
    "product": "GitLab",
    "repo": "git://[email protected]:gitlab-org/gitlab.git",
    "versions": [
      {
        "version": "16.4",
        "status": "affected",
        "lessThan": "16.4.1",
        "versionType": "semver"
      },
      {
        "version": "16.3",
        "status": "affected",
        "lessThan": "16.3.5",
        "versionType": "semver"
      },
      {
        "version": "16.0.0",
        "status": "affected",
        "lessThan": "16.2.8",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]