Permissions, Privileges, and Access Controls in Gitlab Community Edition - CVE-2014-8540
Published: January 5, 2018 / Updated: July 17, 2020
Vulnerability identifier: #VU31370
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2014-8540
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: GitLab, Inc
Affected software:
Gitlab Community Edition
Gitlab Community Edition
Detailed vulnerability description
The vulnerability allows a remote authenticated user to manipulate data.
The groups API in GitLab 6.x and 7.x before 7.4.3 allows remote authenticated guest users to modify ownership of arbitrary groups by leveraging improper permission checks.
How to mitigate CVE-2014-8540
Install update from vendor's website.
Sources
- http://www.openwall.com/lists/oss-security/2014/10/31/2
- http://www.securityfocus.com/bid/70841
- https://about.gitlab.com/2014/10/30/gitlab-7-4-3-released/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/98449
- https://gitlab.com/gitlab-org/gitlab-ce/commit/a2dfff418bf2532ebb5aee88414107929b17eefd