First published: Mon Oct 02 2023(Updated: )
An issue has been discovered in Ultimate-licensed GitLab EE affecting all versions starting 13.12 prior to 16.2.8, 16.3.0 prior to 16.3.5, and 16.4.0 prior to 16.4.1 that could allow an attacker to impersonate users in CI pipelines through direct transfer group imports.
Credit: cve@gitlab.com cve@gitlab.com
Affected Software | Affected Version | How to fix |
---|---|---|
Gitlab Gitlab | >=13.12<16.2.8 | |
Gitlab Gitlab | >=16.3.0<16.3.5 | |
Gitlab Gitlab | =16.4.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2023-5106 is high with a CVSS score of 7.5.
All versions of GitLab EE starting from 13.12 prior to 16.2.8, 16.3.0 prior to 16.3.5, and 16.4.0 prior to 16.4.1 are affected by CVE-2023-5106.
CVE-2023-5106 could allow an attacker to impersonate users in CI pipelines through direct transfer group imports.
To fix CVE-2023-5106, update GitLab EE to version 16.2.8, 16.3.5, or 16.4.1 or later.
You can find more information about CVE-2023-5106 in the GitLab commit mentioned in the reference: https://gitlab.com/gitlab-org/gitlab/-/commit/67039cfcae80b8fc0496f79be88714873cd169b3