CVE-2023-3932
Vulnerability from cvelistv5
Published
2023-08-03 04:01
Modified
2024-09-18 13:14
Severity
Summary
Missing Authorization in GitLab
References
Source | URL | Tags |
---|---|---|
cve@gitlab.com | https://gitlab.com/gitlab-org/gitlab/-/issues/417594 | Exploit |
cve@gitlab.com | https://hackerone.com/reports/2057633 | Permissions Required |
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2023-3932", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-07-24T13:25:44.895120Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-18T13:14:46.779Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T07:08:50.781Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "GitLab Issue #417594", "tags": [ "issue-tracking", "x_transferred" ], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/417594" }, { "name": "HackerOne Bug Bounty Report #2057633", "tags": [ "technical-description", "exploit", "x_transferred" ], "url": "https://hackerone.com/reports/2057633" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "cpes": [ "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*" ], "defaultStatus": "unaffected", "product": "GitLab", "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", "vendor": "GitLab", "versions": [ { "lessThan": "16.0.8", "status": "affected", "version": "13.12", "versionType": "semver" }, { "lessThan": "16.1.3", "status": "affected", "version": "16.1.0", "versionType": "semver" }, { "lessThan": "16.2.2", "status": "affected", "version": "16.2.0", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Thanks [vaib25vicky](https://hackerone.com/vaib25vicky) for reporting this vulnerability through our HackerOne bug bounty program" } ], "descriptions": [ { "lang": "en", "value": "An issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible for an attacker to run pipeline jobs as an arbitrary user via scheduled security scan policies." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-862", "description": "CWE-862: Missing Authorization", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-09-18T04:06:10.199Z", "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab" }, "references": [ { "name": "GitLab Issue #417594", "tags": [ "issue-tracking" ], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/417594" }, { "name": "HackerOne Bug Bounty Report #2057633", "tags": [ "technical-description", "exploit", "permissions-required" ], "url": "https://hackerone.com/reports/2057633" } ], "solutions": [ { "lang": "en", "value": "Upgrade to versions 16.2.2, 16.1.3, 16.0.8 or above." } ], "title": "Missing Authorization in GitLab" } }, "cveMetadata": { "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "assignerShortName": "GitLab", "cveId": "CVE-2023-3932", "datePublished": "2023-08-03T04:01:58.186Z", "dateReserved": "2023-07-25T11:01:19.577Z", "dateUpdated": "2024-09-18T13:14:46.779Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2023-3932\",\"sourceIdentifier\":\"cve@gitlab.com\",\"published\":\"2023-08-03T05:15:10.723\",\"lastModified\":\"2023-10-20T20:04:39.057\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"An issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible for an attacker to run pipeline jobs as an arbitrary user via scheduled security scan policies.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6},{\"source\":\"cve@gitlab.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.8}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]},{\"source\":\"cve@gitlab.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"13.12.0\",\"versionEndExcluding\":\"16.0.8\",\"matchCriteriaId\":\"91EEA705-42BA-4BFE-A96D-185938DB0FF4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"16.1.0\",\"versionEndExcluding\":\"16.1.3\",\"matchCriteriaId\":\"B6C23B24-069B-4665-9CA6-8D40AC5DDA91\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"16.2.0\",\"versionEndExcluding\":\"16.2.2\",\"matchCriteriaId\":\"4E16595C-02B7-4143-8991-E47770CCA461\"}]}]}],\"references\":[{\"url\":\"https://gitlab.com/gitlab-org/gitlab/-/issues/417594\",\"source\":\"cve@gitlab.com\",\"tags\":[\"Exploit\"]},{\"url\":\"https://hackerone.com/reports/2057633\",\"source\":\"cve@gitlab.com\",\"tags\":[\"Permissions Required\"]}]}}" } }
Loading...