An issue has been discovered in GitLab EE affecting all versions starting from 16.1 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. If an external user is given an owner role on any group, that external user may escalate their privileges on the instance by creating a service account in that group. This service account is not classified as external and may be used to access internal projects.
References
| Link | Resource |
|---|---|
| https://gitlab.com/gitlab-org/gitlab/-/issues/417664 | Broken Link |
| https://hackerone.com/reports/2040834 | Permissions Required |
| https://gitlab.com/gitlab-org/gitlab/-/issues/417664 | Broken Link |
| https://hackerone.com/reports/2040834 | Permissions Required |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 08:18
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
| References | () https://gitlab.com/gitlab-org/gitlab/-/issues/417664 - Broken Link | |
| References | () https://hackerone.com/reports/2040834 - Permissions Required |
01 Sep 2023, 21:14
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* cpe:2.3:a:gitlab:gitlab:16.3.0:*:*:*:community:*:*:* cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* cpe:2.3:a:gitlab:gitlab:16.3.0:*:*:*:enterprise:*:*:* |
|
| First Time |
Gitlab gitlab
Gitlab |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.2 |
| CWE | CWE-732 | |
| References | (MISC) https://hackerone.com/reports/2040834 - Permissions Required | |
| References | (MISC) https://gitlab.com/gitlab-org/gitlab/-/issues/417664 - Broken Link |
01 Sep 2023, 11:47
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2023-09-01 11:15
Updated : 2024-11-21 08:18
NVD link : CVE-2023-3915
Mitre link : CVE-2023-3915
CVE.ORG link : CVE-2023-3915
JSON object : View
Products Affected
gitlab
- gitlab