Main Vulnerability Database Vulnerabilities #VU31276

Weak Password Recovery Mechanism for Forgotten Password in Gitlab Community Edition - CVE-2017-0921

Published: July 3, 2018 / Updated: July 17, 2020

Vulnerability identifier: #VU31276

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2017-0921

CWE-ID: CWE-640

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: GitLab, Inc

Affected software:
Gitlab Community Edition

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an unverified password change issue in the PasswordsController component resulting in potential account takeover if a victim's session is compromised.

How to mitigate CVE-2017-0921

Install update from vendor's website.

Sources

https://about.gitlab.com/2018/05/29/security-release-gitlab-10-dot-8-dot-2-released/

Weak Password Recovery Mechanism for Forgotten Password in Gitlab Community Edition - CVE-2017-0921

Detailed vulnerability description

How to mitigate CVE-2017-0921

Sources

Please verify you're human