4.9

CVE-2023-2485

Incorrect Privilege Assignment in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.1 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A malicious maintainer in a project can escalate other users to Owners in that project if they import members from another project that those other users are Owners of.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GitlabGitLab SwEditioncommunity Version >= 14.1.0 < 15.10.8
GitlabGitLab SwEditionenterprise Version >= 14.1.0 < 15.10.8
GitlabGitLab SwEditioncommunity Version >= 15.11.0 < 15.11.7
GitlabGitLab SwEditionenterprise Version >= 15.11.0 < 15.11.7
GitlabGitLab SwEditioncommunity Version >= 16.0.0 < 16.0.2
GitlabGitLab SwEditionenterprise Version >= 16.0.0 < 16.0.2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.17% 0.378
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.9 1.2 3.6
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
cve@gitlab.com 4.4 0.7 3.6
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N
CWE-266 Incorrect Privilege Assignment

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

https://hackerone.com/reports/1934811
Third Party Advisory
Permissions Required