PT-2024-1046 · Gitlab+2 · Gitlab Ce/Ee+3
Yvvdwfon
·
Published
2024-01-11
·
Updated
2024-05-03
·
CVE-2023-5356
CVSS v2.0
8.5
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:N |
Name of the Vulnerable Software and Affected Versions
GitLab CE/EE versions 8.13 through 16.5.6
GitLab CE/EE versions 16.6 through 16.6.4
GitLab CE/EE versions 16.7 through 16.7.2
Description
The issue is related to incorrect authorization checks in GitLab, allowing a user to abuse Slack/Mattermost integrations to execute slash commands as another user. This can enable a remote attacker to execute arbitrary commands.
Recommendations
For GitLab CE/EE versions 8.13 through 16.5.6, update to version 16.5.6 or later.
For GitLab CE/EE versions 16.6 through 16.6.4, update to version 16.6.4 or later.
For GitLab CE/EE versions 16.7 through 16.7.2, update to version 16.7.2 or later.
As a temporary workaround, consider restricting access to Slack/Mattermost integrations until a patch is applied. Monitor logs for signs of compromise.
Exploit
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Gitlab
Gitlab Ce/Ee
Mattermost
Slack