An issue has been discovered in GitLab EE affecting all versions starting from 16.1 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. If an external user is given an owner role on any group, that external user may escalate their privileges on the instance by creating a service account in that group. This service account is not classified as external and may be used to access internal projects.
References
| Link | Resource |
|---|---|
| https://gitlab.com/gitlab-org/gitlab/-/issues/417664 | Broken Link |
| https://hackerone.com/reports/2040834 | Permissions Required |
| https://gitlab.com/gitlab-org/gitlab/-/issues/417664 | Broken Link |
| https://hackerone.com/reports/2040834 | Permissions Required |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 08:18
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://gitlab.com/gitlab-org/gitlab/-/issues/417664 - Broken Link | |
| References | () https://hackerone.com/reports/2040834 - Permissions Required | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
01 Sep 2023, 21:14
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Gitlab gitlab
Gitlab |
|
| CWE | CWE-732 | |
| References | (MISC) https://hackerone.com/reports/2040834 - Permissions Required | |
| References | (MISC) https://gitlab.com/gitlab-org/gitlab/-/issues/417664 - Broken Link | |
| CPE | cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* cpe:2.3:a:gitlab:gitlab:16.3.0:*:*:*:community:*:*:* cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* cpe:2.3:a:gitlab:gitlab:16.3.0:*:*:*:enterprise:*:*:* |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.2 |
01 Sep 2023, 11:47
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2023-09-01 11:15
Updated : 2024-11-21 08:18
NVD link : CVE-2023-3915
Mitre link : CVE-2023-3915
CVE.ORG link : CVE-2023-3915
JSON object : View
Products Affected
gitlab
- gitlab