CVE-2023-4812

An issue has been discovered in GitLab EE affecting all versions starting from 15.3 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2. The required CODEOWNERS approval could be bypassed by adding changes to a previously approved merge request.

CVSS v3.0 5.3 MEDIUM

5.3^/10

CVSS v3.0 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://gitlab.com/gitlab-org/gitlab/-/issues/424398	Broken Link
https://hackerone.com/reports/2115574	Permissions Required

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gitlab:gitlab:16.7.0::::enterprise:::
	cpe:2.3:a:gitlab:gitlab:16.7.1::::enterprise:::
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*

History

18 Jan 2024, 21:18

Type	Values Removed	Values Added
References	~~() https://gitlab.com/gitlab-org/gitlab/-/issues/424398 -~~	() https://gitlab.com/gitlab-org/gitlab/-/issues/424398 - Broken Link
References	~~() https://hackerone.com/reports/2115574 -~~	() https://hackerone.com/reports/2115574 - Permissions Required
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3
CWE		NVD-CWE-noinfo
CPE		cpe:2.3:a:gitlab:gitlab:::::enterprise:::* cpe:2.3:a:gitlab:gitlab:16.7.0::::enterprise::: cpe:2.3:a:gitlab:gitlab:::::community:::* cpe:2.3:a:gitlab:gitlab:16.7.1::::enterprise:::
First Time		Gitlab gitlab Gitlab

12 Jan 2024, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-01-12 14:15

Updated : 2024-10-03 07:15

NVD link : CVE-2023-4812

Mitre link : CVE-2023-4812

JSON object : View

Products Affected

gitlab

gitlab

CWE

NVD-CWE-noinfo

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/424398", "name": "GitLab Issue #424398", "tags": ["Broken Link"], "refsource": ""}, {"url": "https://hackerone.com/reports/2115574", "name": "HackerOne Bug Bounty Report #2115574", "tags": ["Permissions Required"], "refsource": ""}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "An issue has been discovered in GitLab EE affecting all versions starting from 15.3 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2. The required CODEOWNERS approval could be bypassed by adding changes to a previously approved merge request."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2023-4812", "ASSIGNER": "cve@gitlab.com"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}}, "publishedDate": "2024-01-12T14:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:gitlab:gitlab:16.7.0:*:*:*:enterprise:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gitlab:gitlab:16.7.1:*:*:*:enterprise:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "16.6.4", "versionStartIncluding": "16.6.0"}, {"cpe23Uri": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "16.6.4", "versionStartIncluding": "16.6.0"}, {"cpe23Uri": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "16.5.5", "versionStartIncluding": "15.3.0"}, {"cpe23Uri": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "16.5.5", "versionStartIncluding": "15.3.0"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2024-10-03T07:15Z"}