CVE-2017-0925 - OpenCVE

Gitlab Enterprise Edition version 10.1.0 is vulnerable to an insufficiently protected credential issue in the project service integration API endpoint resulting in an information disclosure of plaintext password.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Debian	Debian Linux
Gitlab	Gitlab

Configuration 1 [-]

OR	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

References

Link	Resource
https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/	Release Notes Vendor Advisory
https://gitlab.com/gitlab-org/gitlab-ee/issues/3847	Issue Tracking
https://www.debian.org/security/2018/dsa-4145	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: hackerone

Published: 2018-03-21T20:00:00

Updated: 2018-03-22T09:57:01

Reserved: 2016-11-30T00:00:00

Link: CVE-2017-0925

JSON object: View

NVD Information

Status : Modified

Published: 2018-03-21T20:29:00.747

Modified: 2019-10-09T23:21:13.290

Link: CVE-2017-0925

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "GitLab Community and Enterprise Editions", "vendor": "GitLab", "versions": [{"status": "affected", "version": "8.10.6 - 10.1.5 Fixed in 10.1.6"}, {"status": "affected", "version": "10.2.0 - 10.2.5 Fixed in 10.2.6"}, {"status": "affected", "version": "10.3.0 - 10.3.3 Fixed in 10.3.4"}]}], "datePublic": "2018-01-16T00:00:00", "descriptions": [{"lang": "en", "value": "Gitlab Enterprise Edition version 10.1.0 is vulnerable to an insufficiently protected credential issue in the project service integration API endpoint resulting in an information disclosure of plaintext password."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-522", "description": "Insufficiently Protected Credentials (CWE-522)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-03-22T09:57:01", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"name": "DSA-4145", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2018/dsa-4145"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://gitlab.com/gitlab-org/gitlab-ee/issues/3847"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "ID": "CVE-2017-0925", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "GitLab Community and Enterprise Editions", "version": {"version_data": [{"version_value": "8.10.6 - 10.1.5 Fixed in 10.1.6"}, {"version_value": "10.2.0 - 10.2.5 Fixed in 10.2.6"}, {"version_value": "10.3.0 - 10.3.3 Fixed in 10.3.4"}]}}]}, "vendor_name": "GitLab"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Gitlab Enterprise Edition version 10.1.0 is vulnerable to an insufficiently protected credential issue in the project service integration API endpoint resulting in an information disclosure of plaintext password."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Insufficiently Protected Credentials (CWE-522)"}]}]}, "references": {"reference_data": [{"name": "DSA-4145", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2018/dsa-4145"}, {"name": "https://gitlab.com/gitlab-org/gitlab-ee/issues/3847", "refsource": "CONFIRM", "url": "https://gitlab.com/gitlab-org/gitlab-ee/issues/3847"}, {"name": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/", "refsource": "CONFIRM", "url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"}]}}}}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2017-0925", "datePublished": "2018-03-21T20:00:00", "dateReserved": "2016-11-30T00:00:00", "dateUpdated": "2018-03-22T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "05870508-1CE3-4659-858A-6065F3D8B6B4", "versionEndIncluding": "9.5.10", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "8D9B47D4-A6DB-4EBC-BD09-31CD3A77E430", "versionEndIncluding": "9.5.10", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "81E7F704-BE11-4C38-A69B-27D22298703D", "versionEndIncluding": "10.1.5", "versionStartIncluding": "10.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "64162AE5-7888-44B6-9E40-F8003806408C", "versionEndIncluding": "10.1.5", "versionStartIncluding": "10.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "643E78E8-2909-41D4-BC2A-2CADDA141DCB", "versionEndIncluding": "10.2.5", "versionStartIncluding": "10.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "AA884C1E-9F66-41DA-9F23-1231086A75CA", "versionEndIncluding": "10.2.5", "versionStartIncluding": "10.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "7E7D952B-AB31-4962-B178-53260246B33E", "versionEndIncluding": "10.3.3", "versionStartIncluding": "10.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "3CEEA359-A827-43C5-8489-FD49AE744CC4", "versionEndIncluding": "10.3.3", "versionStartIncluding": "10.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Gitlab Enterprise Edition version 10.1.0 is vulnerable to an insufficiently protected credential issue in the project service integration API endpoint resulting in an information disclosure of plaintext password."}, {"lang": "es", "value": "Gitlab Enterprise Edition 10.1.0 es vulnerable a un problema de credenciales protegidas de forma insuficiente en el endpoint de API de proyecto de integraci\u00f3n de servicio que resulta en la divulgaci\u00f3n de informaci\u00f3n de contrase\u00f1as en texto plano."}], "id": "CVE-2017-0925", "lastModified": "2019-10-09T23:21:13.290", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-03-21T20:29:00.747", "references": [{"source": "support@hackerone.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"}, {"source": "support@hackerone.com", "tags": ["Issue Tracking"], "url": "https://gitlab.com/gitlab-org/gitlab-ee/issues/3847"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2018/dsa-4145"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-522"}], "source": "support@hackerone.com", "type": "Secondary"}]}