CVE-2023-5356

Incorrect authorization checks in GitLab CE/EE from all versions starting from 8.13 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2, allows a user to abuse slack/mattermost integrations to execute slash commands as another user.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:16.7.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:16.7.0:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:16.7.1:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:16.7.1:*:*:*:enterprise:*:*:*

History

21 Nov 2024, 08:41

Type Values Removed Values Added
References () https://gitlab.com/gitlab-org/gitlab/-/issues/427154 - Broken Link () https://gitlab.com/gitlab-org/gitlab/-/issues/427154 - Broken Link
References () https://hackerone.com/reports/2188868 - Permissions Required () https://hackerone.com/reports/2188868 - Permissions Required
CVSS v2 : unknown
v3 : 8.8
v2 : unknown
v3 : 7.3

18 Jan 2024, 21:17

Type Values Removed Values Added
First Time Gitlab gitlab
Gitlab
CPE cpe:2.3:a:gitlab:gitlab:16.7.0:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:16.7.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:16.7.1:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:16.7.1:*:*:*:community:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.8
CWE CWE-863
References () https://hackerone.com/reports/2188868 - () https://hackerone.com/reports/2188868 - Permissions Required
References () https://gitlab.com/gitlab-org/gitlab/-/issues/427154 - () https://gitlab.com/gitlab-org/gitlab/-/issues/427154 - Broken Link

12 Jan 2024, 14:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-01-12 14:15

Updated : 2024-11-21 08:41


NVD link : CVE-2023-5356

Mitre link : CVE-2023-5356

CVE.ORG link : CVE-2023-5356


JSON object : View

Products Affected

gitlab

  • gitlab
CWE
CWE-863

Incorrect Authorization