CVE-2023-4658

CVSS v3 3.1 LOW

3.1^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.6 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

A

n issue has been discovered in GitLab EE affecting all versions starting from 8.13 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to abuse the `Allowed to merge` permission as a guest user, when granted the permission through a group.

References

Link	Resource
https://gitlab.com/gitlab-org/gitlab/-/issues/423835	Broken Link Vendor Advisory
https://hackerone.com/reports/2104540	Permissions Required Third Party Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/423835	Broken Link Vendor Advisory
https://hackerone.com/reports/2104540	Permissions Required Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:16.6.0::::enterprise:::

History

21 Nov 2024, 08:35

Type	Values Removed	Values Added
References	~~() https://gitlab.com/gitlab-org/gitlab/-/issues/423835 - Broken Link, Vendor Advisory~~	() https://gitlab.com/gitlab-org/gitlab/-/issues/423835 - Broken Link, Vendor Advisory
References	~~() https://hackerone.com/reports/2104540 - Permissions Required, Third Party Advisory~~	() https://hackerone.com/reports/2104540 - Permissions Required, Third Party Advisory

03 Oct 2024, 07:15

Type	Values Removed	Values Added
CWE	~~CWE-284~~	CWE-863

Information

Published : 2023-12-01 07:15

Updated : 2024-11-21 08:35

NVD link : CVE-2023-4658

Mitre link : CVE-2023-4658

CVE.ORG link : CVE-2023-4658

JSON object : View

Products Affected

gitlab

CWE

CWE-863

Incorrect Authorization

NVD-CWE-noinfo

{"id": "CVE-2023-4658", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.6}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.6}]}, "published": "2023-12-01T07:15:10.807", "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/423835", "tags": ["Broken Link", "Vendor Advisory"], "source": "[email protected]"}, {"url": "https://hackerone.com/reports/2104540", "tags": ["Permissions Required", "Third Party Advisory"], "source": "[email protected]"}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/423835", "tags": ["Broken Link", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://hackerone.com/reports/2104540", "tags": ["Permissions Required", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-863"}]}, {"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "An issue has been discovered in GitLab EE affecting all versions starting from 8.13 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to abuse the `Allowed to merge` permission as a guest user, when granted the permission through a group."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en GitLab EE que afecta a todas las versiones desde 8.13 anteriores a 16.4.3, todas las versiones desde 16.5 anteriores a 16.5.3, todas las versiones desde 16.6 anteriores a 16.6.1. Era posible que un atacante abusara del permiso \"Permitido fusionar\" como usuario invitado, cuando se le conced\u00eda el permiso a trav\u00e9s de un grupo."}], "lastModified": "2024-11-21T08:35:37.680", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "ED3112DB-4343-44FC-BF0C-91336099167C", "versionEndExcluding": "16.4.3", "versionStartIncluding": "8.13.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "6B77E904-2562-4F78-A787-7F51871054BA", "versionEndExcluding": "16.5.3", "versionStartIncluding": "16.5.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:16.6.0:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "8D5674D6-E26B-4F62-9B59-C15DEEDDB4B1"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}