First published: Fri Sep 01 2023(Updated: )
An issue has been discovered in GitLab EE affecting all versions starting from 16.1 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. If an external user is given an owner role on any group, that external user may escalate their privileges on the instance by creating a service account in that group. This service account is not classified as external and may be used to access internal projects.
Credit: cve@gitlab.com cve@gitlab.com
Affected Software | Affected Version | How to fix |
---|---|---|
GitLab GitLab | >=16.1.0<16.1.5 | |
GitLab GitLab | >=16.1.0<16.1.5 | |
GitLab GitLab | >=16.2<16.2.5 | |
GitLab GitLab | >=16.2<16.2.5 | |
GitLab GitLab | =16.3.0 | |
GitLab GitLab | =16.3.0 |
Upgrade to versions 16.1.5, 16.2.5, 16.3.1 or above.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2023-3915.
The severity of CVE-2023-3915 is high with a CVSS score of 7.2.
All versions starting from 16.1 before 16.1.5, all versions starting from 16.2 before 16.2.5, and version 16.3.0 are affected by CVE-2023-3915.
If an external user is given an owner role on any group, they may escalate their privileges and gain unauthorized access.
Yes, you can find more information about CVE-2023-3915 in the following references: [GitLab issue](https://gitlab.com/gitlab-org/gitlab/-/issues/417664) and [HackerOne report](https://hackerone.com/reports/2040834).