5.9

CVE-2017-17716

GitLab 9.4.x before 9.4.2 does not support LDAP SSL certificate verification, but a verify_certificates LDAP option was mentioned in the 9.4 release announcement. This issue occurred because code was not merged. This is related to use of the omniauth-ldap library and the gitlab_omniauth-ldap gem.

Data is provided by the National Vulnerability Database (NVD)
GitlabGitlab Version9.4.0
GitlabGitlab Version9.4.0 Updaterc1
GitlabGitlab Version9.4.0 Updaterc2
GitlabGitlab Version9.4.0 Updaterc3
GitlabGitlab Version9.4.0 Updaterc4
GitlabGitlab Version9.4.0 Updaterc5
GitlabGitlab Version9.4.0 Updaterc6
GitlabGitlab Version9.4.1
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.09% 0.26
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 5.9 2.2 3.6
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:P/I:N/A:N
CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

https://gitlab.com/gitlab-org/gitlab-ce/issues/30420
Patch
Vendor Advisory
Issue Tracking