Main Vulnerability Database Vulnerabilities #VU31275

Missing Authentication for Critical Function in Gitlab Community Edition - CVE-2017-0919

Published: July 3, 2018 / Updated: July 17, 2020

Vulnerability identifier: #VU31275

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2017-0919

CWE-ID: CWE-306

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: GitLab, Inc

Affected software:
Gitlab Community Edition

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an authorization bypass issue in the GitLab import component resulting in an attacker being able to perform operations under a group in which they were previously unauthorized.

How to mitigate CVE-2017-0919

Install update from vendor's website.

Sources

https://hackerone.com/reports/301137

Missing Authentication for Critical Function in Gitlab Community Edition - CVE-2017-0919

Detailed vulnerability description

How to mitigate CVE-2017-0919

Sources

Please verify you're human