CVE-2018-16048 - OpenCVE

An issue was discovered in GitLab Community and Enterprise Edition before 11.0.6, 11.1.x before 11.1.5, and 11.2.x before 11.2.2. There is Missing Authorization Control for API Repository Storage.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Gitlab	Gitlab

Configuration 1 [-]

OR	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*

References

Link	Resource
https://about.gitlab.com/2018/08/28/security-release-gitlab-11-dot-2-dot-2-released/	Exploit Vendor Advisory
https://gitlab.com/gitlab-org/gitlab-ce/issues/49947	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2018-10-03T16:00:00

Updated: 2018-10-03T15:57:01

Reserved: 2018-08-28T00:00:00

Link: CVE-2018-16048

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-10-03T16:29:00.293

Modified: 2019-10-03T00:03:26.223

Link: CVE-2018-16048

JSON object: View

Redhat Information

No data.

CWE

CWE-862

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-08-03T00:00:00", "descriptions": [{"lang": "en", "value": "An issue was discovered in GitLab Community and Enterprise Edition before 11.0.6, 11.1.x before 11.1.5, and 11.2.x before 11.2.2. There is Missing Authorization Control for API Repository Storage."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-03T15:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/49947"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://about.gitlab.com/2018/08/28/security-release-gitlab-11-dot-2-dot-2-released/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-16048", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in GitLab Community and Enterprise Edition before 11.0.6, 11.1.x before 11.1.5, and 11.2.x before 11.2.2. There is Missing Authorization Control for API Repository Storage."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://gitlab.com/gitlab-org/gitlab-ce/issues/49947", "refsource": "CONFIRM", "url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/49947"}, {"name": "https://about.gitlab.com/2018/08/28/security-release-gitlab-11-dot-2-dot-2-released/", "refsource": "CONFIRM", "url": "https://about.gitlab.com/2018/08/28/security-release-gitlab-11-dot-2-dot-2-released/"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-16048", "datePublished": "2018-10-03T16:00:00", "dateReserved": "2018-08-28T00:00:00", "dateUpdated": "2018-10-03T15:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "BE7373AC-4676-4157-AB70-E5D74D579E52", "versionEndExcluding": "11.0.6", "versionStartIncluding": "8.10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "E56022FE-6145-452C-AAB5-F7DC59BFDF7B", "versionEndExcluding": "11.1.5", "versionStartIncluding": "11.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "42E3481C-50E6-4C84-A464-AC37309A1FED", "versionEndExcluding": "11.2.2", "versionStartIncluding": "11.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in GitLab Community and Enterprise Edition before 11.0.6, 11.1.x before 11.1.5, and 11.2.x before 11.2.2. There is Missing Authorization Control for API Repository Storage."}, {"lang": "es", "value": "Se ha descubierto un problema en las ediciones Community y Enterprise de GitLab, en versiones anteriores a la 11.0.6, versiones 11.1.x anteriores a la 11.1.5 y versiones 11.2.x anteriores a la 11.2.2. Hay una falta de controles de autorizaci\u00f3n para el almacenamiento de repositorios de la API."}], "id": "CVE-2018-16048", "lastModified": "2019-10-03T00:03:26.223", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-10-03T16:29:00.293", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Vendor Advisory"], "url": "https://about.gitlab.com/2018/08/28/security-release-gitlab-11-dot-2-dot-2-released/"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/49947"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}