7.2

CVE-2023-3915

An issue has been discovered in GitLab EE affecting all versions starting from 16.1 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. If an external user is given an owner role on any group, that external user may escalate their privileges on the instance by creating a service account in that group. This service account is not classified as external and may be used to access internal projects.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GitlabGitlab SwEditioncommunity Version >= 16.1.0 < 16.1.5
GitlabGitlab SwEditionenterprise Version >= 16.1.0 < 16.1.5
GitlabGitlab SwEditioncommunity Version >= 16.2 < 16.2.5
GitlabGitlab SwEditionenterprise Version >= 16.2 < 16.2.5
GitlabGitlab Version16.3.0 SwEditioncommunity
GitlabGitlab Version16.3.0 SwEditionenterprise
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.03% 0.094
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.2 1.2 5.9
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cve@gitlab.com 6.5 1.2 5.2
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
CWE-279 Incorrect Execution-Assigned Permissions

While it is executing, the product sets the permissions of an object in a way that violates the intended permissions that have been specified by the user.

CWE-732 Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.