PT-2023-6630 · Gitlab · Gitlab Ce/Ee+1

Vaib25Vicky

Published

2023-08-03

Updated

2024-10-03

CVE-2023-3932

CVSS v3.1

8.2

High

Vector

AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions GitLab EE versions 13.12 through 16.0.7 GitLab EE versions 16.1 through 16.1.2 GitLab EE versions 16.2 through 16.2.1

Description An issue has been discovered in GitLab EE, affecting the authorization procedure. This issue allows an attacker to run pipeline jobs as an arbitrary user via scheduled security scan policies. The exploitation of this issue may enable a remote attacker to launch tasks in the name of any user.

Recommendations For versions 13.12 through 16.0.7, update to version 16.0.8 or later. For versions 16.1 through 16.1.2, update to version 16.1.3 or later. For versions 16.2 through 16.2.1, update to version 16.2.2 or later. As a temporary workaround, consider restricting access to scheduled security scan policies until a patch is available.

Exploit

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-286CWE-862

Related Identifiers

BDU:2023-07398

BIT-GITLAB-2023-3932

CVE-2023-3932

Affected Products

Gitlab

Gitlab Ce/Ee

PT-2023-6630 · Gitlab · Gitlab Ce/Ee+1

CVE-2023-3932

Weakness Enumeration

Related Identifiers

Affected Products

References · 18