CVE-2023-3509

An issue has been discovered in GitLab affecting all versions before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. It was possible for group members with sub-maintainer role to change the title of privately accessible deploy keys associated with projects in the group.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://gitlab.com/gitlab-org/gitlab/-/issues/416945	Broken Link Permissions Required
https://hackerone.com/reports/2037814	Permissions Required

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gitlab:gitlab::::::::
	cpe:2.3:a:gitlab:gitlab::::::::
	cpe:2.3:a:gitlab:gitlab:16.9.0:::::::*

History

04 Mar 2024, 20:59

Type	Values Removed	Values Added
References	~~() https://gitlab.com/gitlab-org/gitlab/-/issues/416945 -~~	() https://gitlab.com/gitlab-org/gitlab/-/issues/416945 - Broken Link, Permissions Required
References	~~() https://hackerone.com/reports/2037814 -~~	() https://hackerone.com/reports/2037814 - Permissions Required
CVSS	v2 : ~~unknown~~ v3 : ~~3.7~~	v2 : unknown v3 : 5.4
CPE		cpe:2.3:a:gitlab:gitlab:16.9.0:::::::* cpe:2.3:a:gitlab:gitlab::::::::
CWE		NVD-CWE-Other
First Time		Gitlab Gitlab gitlab

22 Feb 2024, 19:07

Type	Values Removed	Values Added
Summary		(es) Se descubrió un problema en GitLab que afecta a todas las versiones anteriores a 16.7.6, todas las versiones desde 16.8 anteriores a 16.8.3, todas las versiones desde 16.9 anteriores a 16.9.1. Los miembros del grupo con función de submantenedor podían cambiar el título de las claves de implementación de acceso privado asociadas con los proyectos del grupo.

21 Feb 2024, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-21 23:15

Updated : 2024-03-04 20:59

NVD link : CVE-2023-3509

Mitre link : CVE-2023-3509

CVE.ORG link : CVE-2023-3509

JSON object : View

Products Affected

gitlab

gitlab

CWE

NVD-CWE-Other CWE-284

Improper Access Control

{"id": "CVE-2023-3509", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "cve@gitlab.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 1.2}]}, "published": "2024-02-21T23:15:08.223", "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/416945", "tags": ["Broken Link", "Permissions Required"], "source": "cve@gitlab.com"}, {"url": "https://hackerone.com/reports/2037814", "tags": ["Permissions Required"], "source": "cve@gitlab.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "cve@gitlab.com", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "An issue has been discovered in GitLab affecting all versions before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. It was possible for group members with sub-maintainer role to change the title of privately accessible deploy keys associated with projects in the group."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en GitLab que afecta a todas las versiones anteriores a 16.7.6, todas las versiones desde 16.8 anteriores a 16.8.3, todas las versiones desde 16.9 anteriores a 16.9.1. Los miembros del grupo con funci\u00f3n de submantenedor pod\u00edan cambiar el t\u00edtulo de las claves de implementaci\u00f3n de acceso privado asociadas con los proyectos del grupo."}], "lastModified": "2024-03-04T20:59:58.357", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0A04F244-8B1C-451C-9C0F-86885410FBD9", "versionEndIncluding": "16.7.6"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E0A7B883-EFAA-456B-AB89-9FEF5BED60CB", "versionEndIncluding": "16.8.3", "versionStartIncluding": "16.8.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:16.9.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "06CEE568-A6C1-4C8A-8786-B561643668AB"}], "operator": "OR"}]}], "sourceIdentifier": "cve@gitlab.com"}