6.5

CVE-2021-22263

Exploit
An issue has been discovered in GitLab affecting all versions starting from 13.0 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. A user account with 'external' status which is granted 'Maintainer' role on any project on the GitLab instance where 'project tokens' are allowed may elevate its privilege to 'Internal' and access Internal projects.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GitlabGitlab SwEditioncommunity Version >= 13.0.0 < 14.0.9
GitlabGitlab SwEditionenterprise Version >= 13.0.0 < 14.0.9
GitlabGitlab SwEditioncommunity Version >= 14.1.0 < 14.1.4
GitlabGitlab SwEditionenterprise Version >= 14.1.0 < 14.1.4
GitlabGitlab SwEditioncommunity Version >= 14.2.0 < 14.2.2
GitlabGitlab SwEditionenterprise Version >= 14.2.0 < 14.2.2
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.21% 0.428
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.5 1.2 5.2
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
nvd@nist.gov 5.5 8 4.9
AV:N/AC:L/Au:S/C:P/I:P/A:N
cve@gitlab.com 5.5 1.2 4.2
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

https://gitlab.com/gitlab-org/gitlab/-/issues/331473
Vendor Advisory
Exploit
Issue Tracking
https://hackerone.com/reports/1193062
Third Party Advisory
Exploit