CVE-2023-5106
First published: Mon Oct 02 2023(Updated: )
An issue has been discovered in Ultimate-licensed GitLab EE affecting all versions starting 13.12 prior to 16.2.8, 16.3.0 prior to 16.3.5, and 16.4.0 prior to 16.4.1 that could allow an attacker to impersonate users in CI pipelines through direct transfer group imports.
Credit: cve@gitlab.com cve@gitlab.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Gitlab Gitlab | >=13.12<16.2.8 | |
| Gitlab Gitlab | >=16.3.0<16.3.5 | |
| Gitlab Gitlab | =16.4.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2023-5106?
The severity of CVE-2023-5106 is high with a CVSS score of 7.5.
Which versions of GitLab EE are affected by CVE-2023-5106?
All versions of GitLab EE starting from 13.12 prior to 16.2.8, 16.3.0 prior to 16.3.5, and 16.4.0 prior to 16.4.1 are affected by CVE-2023-5106.
What is the impact of CVE-2023-5106?
CVE-2023-5106 could allow an attacker to impersonate users in CI pipelines through direct transfer group imports.
How can I fix CVE-2023-5106?
To fix CVE-2023-5106, update GitLab EE to version 16.2.8, 16.3.5, or 16.4.1 or later.
Where can I find more information about CVE-2023-5106?
You can find more information about CVE-2023-5106 in the GitLab commit mentioned in the reference: https://gitlab.com/gitlab-org/gitlab/-/commit/67039cfcae80b8fc0496f79be88714873cd169b3
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/nvd-api
- collector/nvd-index
- vendor/gitlab
- canonical/gitlab gitlab
- version/gitlab gitlab/13.12
- version/gitlab gitlab/16.3.0
- version/gitlab gitlab/16.4.0