Lucene search

Veracode Vulnerability DatabaseVERACODE:44829

HistoryDec 26, 2023 - 5:38 a.m.

Arbitrary Code Execution

2023-12-2605:38:57

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

gitlab

remote code execution

arbitrary pipeline execution

user context

malicious code

software

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.5 High

AI Score

Confidence

Low

0.019 Low

EPSS

Percentile

88.5%

JSON

gitlab:sid is vulnerable to Remote code execution. The vulnerability due to perform arbitrary pipeline execution under the context of another user. It allow an attacker execute the other user context with malicious code.

CPENameOperatorVersion
gitlab:sideq13.4.7-2
gitlab:sideq13.3.9-1
gitlab:sideq13.4.7-2
gitlab:sideq13.3.9-1

Name	Operator	Version
gitlab:sid	eq	13.4.7-2
gitlab:sid	eq	13.3.9-1
gitlab:sid	eq	13.4.7-2
gitlab:sid	eq	13.3.9-1

References

gitlab.com/gitlab-org/gitlab/-/issues/425604

gitlab.com/gitlab-org/gitlab/-/issues/425857

hackerone.com/reports/2174141

security-tracker.debian.org/tracker/CVE-2023-5207

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.5 High

AI Score

Confidence

Low

0.019 Low

EPSS

Percentile

88.5%

JSON

Related for VERACODE:44829