Lucene search

GoogleOSV:BIT-GITLAB-2023-5207

HistoryMar 06, 2024 - 10:57 a.m.

BIT-gitlab-2023-5207

2024-03-0610:57:16

Google

osv.dev

security vulnerability

arbitrary pipeline execution

user context

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

AI Score

Confidence

Low

0.019 Low

EPSS

Percentile

88.5%

JSON

A vulnerability was discovered in GitLab CE and EE affecting all versions starting 16.0 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. An authenticated attacker could perform arbitrary pipeline execution under the context of another user.

CPENameOperatorVersion
gitlabge16.4.0
gitlabge16.3.0
gitlablt16.2.8
gitlable16.4.0
gitlablt16.3.5
gitlabge16.0.0

Name	Operator	Version
gitlab	ge	16.4.0
gitlab	ge	16.3.0
gitlab	lt	16.2.8
gitlab	le	16.4.0
gitlab	lt	16.3.5
gitlab	ge	16.0.0

References

gitlab.com/gitlab-org/gitlab/-/issues/425604

gitlab.com/gitlab-org/gitlab/-/issues/425857

hackerone.com/reports/2174141

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

AI Score

Confidence

Low

0.019 Low

EPSS

Percentile

88.5%

JSON

Related for OSV:BIT-GITLAB-2023-5207