Main Vulnerability Database Vulnerabilities #VU75770

Permissions, Privileges, and Access Controls in Gitlab Community Edition and GitLab Enterprise Edition - CVE-2023-2478

Published: May 5, 2023

Vulnerability identifier: #VU75770

CSH Severity: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2023-2478

CWE-ID: CWE-264

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Gitlab Community Edition
GitLab Enterprise Edition

Software vendor:
GitLab, Inc

Description

The vulnerability allows a remote user to compromise any project on the instance.

The vulnerability exists due to improper implementation of access permission. Under certain conditions, any GitLab user account on the instance can use a GraphQL endpoint to attach a malicious runner to any project on the instance.

Remediation

Install updates from vendor's website.

External links

https://about.gitlab.com/releases/2023/05/05/critical-security-release-gitlab-15-11-2-released/

Permissions, Privileges, and Access Controls in Gitlab Community Edition and GitLab Enterprise Edition - CVE-2023-2478

Description

Remediation

External links

Please verify you're human