PT-2023-30097 · Gitlab · Gitlab Ce/Ee+1
Thelucion
·
Publicado
2023-12-01
·
Atualizado
2024-10-03
·
CVE-2023-4658
CVSS v3.1
3.1
Baixa
| Vetor | AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
GitLab EE versions 8.13 through 16.4.2
GitLab EE versions 16.5 through 16.5.2
GitLab EE versions 16.6 through 16.6.0
Description
An issue has been discovered in GitLab EE, where it was possible for an attacker to abuse the
Allowed to merge permission as a guest user, when granted the permission through a group.Recommendations
For versions 8.13 through 16.4.2, update to version 16.4.3 or later.
For versions 16.5 through 16.5.2, update to version 16.5.3 or later.
For versions 16.6 through 16.6.0, update to version 16.6.1 or later.
As a temporary workaround, consider restricting the
Allowed to merge permission for guest users in groups until a patch is available.Exploit
Correção
Incorrect Authorization
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Gitlab
Gitlab Ce/Ee