CVE-2023-5356

Incorrect authorization checks in GitLab CE/EE from all versions starting from 8.13 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2, allows a user to abuse slack/mattermost integrations to execute slash commands as another user.
References
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:16.7.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:16.7.0:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:16.7.1:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:16.7.1:*:*:*:enterprise:*:*:*

History

18 Jan 2024, 21:17

Type Values Removed Values Added
References () https://hackerone.com/reports/2188868 - () https://hackerone.com/reports/2188868 - Permissions Required
References () https://gitlab.com/gitlab-org/gitlab/-/issues/427154 - () https://gitlab.com/gitlab-org/gitlab/-/issues/427154 - Broken Link
First Time Gitlab gitlab
Gitlab
CPE cpe:2.3:a:gitlab:gitlab:16.7.0:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:16.7.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:16.7.1:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:16.7.1:*:*:*:community:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.8
CWE CWE-863

12 Jan 2024, 14:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-01-12 14:15

Updated : 2024-02-28 20:54


NVD link : CVE-2023-5356

Mitre link : CVE-2023-5356

CVE.ORG link : CVE-2023-5356


JSON object : View

Products Affected

gitlab

  • gitlab
CWE
CWE-863

Incorrect Authorization