Lucene search

Veracode Vulnerability DatabaseVERACODE:41475

HistoryJul 22, 2023 - 3:34 p.m.

Authorization Bypass

2023-07-2215:34:37

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

gitlab

authorization bypass

vulnerability

rest api

unprivileged users

groups

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

24.8%

JSON

gitlab is vulnerable to Authorization Bypasses. Under certain conditions, GitLab REST API may allow unprivileged users to add other users to groups even if that is not possible to do through the Web UI.

References

gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0549.json

gitlab.com/gitlab-org/gitlab/-/issues/342448

security-tracker.debian.org/tracker/CVE-2022-0549

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

24.8%

JSON

Related for VERACODE:41475