CVE-2023-5356 Incorrect Authorization in GitLab

2024-01-1213:56:51

CWE-863

GitLab

www.cve.org

gitlab

incorrect authorization

slash commands

cve-2023-5356

mattermost integration

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N

8.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

30.1%

JSON

Incorrect authorization checks in GitLab CE/EE from all versions starting from 8.13 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2, allows a user to abuse slack/mattermost integrations to execute slash commands as another user.

CNA Affected

[
  {
    "vendor": "GitLab",
    "product": "GitLab",
    "repo": "git://[email protected]:gitlab-org/gitlab.git",
    "versions": [
      {
        "version": "8.13",
        "status": "affected",
        "lessThan": "16.5.6",
        "versionType": "semver"
      },
      {
        "version": "16.6",
        "status": "affected",
        "lessThan": "16.6.4",
        "versionType": "semver"
      },
      {
        "version": "16.7",
        "status": "affected",
        "lessThan": "16.7.2",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]