Main Vulnerability Database Vulnerabilities #VU39801

Permissions, Privileges, and Access Controls in Gitlab Community Edition - CVE-2016-4340

Published: January 23, 2017 / Updated: August 9, 2020

Vulnerability identifier: #VU39801

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber

CVE-ID: CVE-2016-4340

CWE-ID: CWE-264

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vendor: GitLab, Inc

Affected software:
Gitlab Community Edition

Detailed vulnerability description

The vulnerability allows a remote authenticated user to execute arbitrary code.

The impersonate feature in Gitlab 8.7.0, 8.6.0 through 8.6.7, 8.5.0 through 8.5.11, 8.4.0 through 8.4.9, 8.3.0 through 8.3.8, and 8.2.0 through 8.2.4 allows remote authenticated users to "log in" as any other user via unspecified vectors.

How to mitigate CVE-2016-4340

Install update from vendor's website.

Sources

http://packetstormsecurity.com/files/138368/GitLab-Impersonate-Privilege-Escalation.html
https://about.gitlab.com/2016/05/02/cve-2016-4340-patches/
https://gitlab.com/gitlab-org/gitlab-ce/issues/15548
https://www.exploit-db.com/exploits/40236/

Permissions, Privileges, and Access Controls in Gitlab Community Edition - CVE-2016-4340

Detailed vulnerability description

How to mitigate CVE-2016-4340

Sources

Please verify you're human