CVE-2023-3484 - OpenCVE

An issue has been discovered in GitLab EE affecting all versions starting from 12.8 before 15.11.11, all versions starting from 16.0 before 16.0.7, all versions starting from 16.1 before 16.1.2. An attacker could change the name or path of a public top-level group in certain situations.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Gitlab	Gitlab

Configuration 1 [-]

OR	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*

References

Link	Resource
https://about.gitlab.com/releases/2023/07/05/security-release-gitlab-16-1-2-released/	Vendor Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/416773	Broken Link
https://hackerone.com/reports/2035687	Permissions Required

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitLab

Published: 2023-07-21T13:01:03.770Z

Updated: 2023-07-21T13:01:03.770Z

Reserved: 2023-06-30T17:18:21.746Z

Link: CVE-2023-3484

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-07-21T14:15:10.010

Modified: 2023-07-31T17:03:19.533

Link: CVE-2023-3484

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-3484", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "state": "PUBLISHED", "assignerShortName": "GitLab", "dateReserved": "2023-06-30T17:18:21.746Z", "datePublished": "2023-07-21T13:01:03.770Z", "dateUpdated": "2023-07-21T13:01:03.770Z"}, "containers": {"cna": {"title": "Business Logic Errors in GitLab", "descriptions": [{"lang": "en", "value": "An issue has been discovered in GitLab EE affecting all versions starting from 12.8 before 15.11.11, all versions starting from 16.0 before 16.0.7, all versions starting from 16.1 before 16.1.2. An attacker could change the name or path of a public top-level group in certain situations."}], "affected": [{"vendor": "GitLab", "product": "GitLab", "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", "versions": [{"version": "12.8", "status": "affected", "lessThan": "15.11.11", "versionType": "semver"}, {"version": "16.0", "status": "affected", "lessThan": "16.0.7", "versionType": "semver"}, {"version": "16.1", "status": "affected", "lessThan": "16.1.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-840: Business Logic Errors", "cweId": "CWE-840", "type": "CWE"}]}], "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/416773", "name": "GitLab Issue #416773", "tags": ["issue-tracking"]}, {"url": "https://hackerone.com/reports/2035687", "name": "HackerOne Bug Bounty Report #2035687", "tags": ["technical-description", "exploit"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8, "baseSeverity": "HIGH"}}], "solutions": [{"lang": "en", "value": "Upgrade to versions 15.11.11, 16.0.7, 16.1.2 or above."}], "credits": [{"lang": "en", "value": "Thanks [zeb0x01](https://hackerone.com/zeb0x01) for reporting this vulnerability through our HackerOne bug bounty program", "type": "finder"}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2023-07-21T13:01:03.770Z"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "32F2AE09-2A49-4C15-AA12-2A3921C0299A", "versionEndExcluding": "15.11.11", "versionStartIncluding": "12.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "9BEC60C3-6725-4F2A-ABCF-E536C8DD4D63", "versionEndExcluding": "16.0.7", "versionStartIncluding": "16.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "A33FDEA1-2885-400D-BCE7-C1EEE80A6E3E", "versionEndExcluding": "16.1.2", "versionStartIncluding": "16.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue has been discovered in GitLab EE affecting all versions starting from 12.8 before 15.11.11, all versions starting from 16.0 before 16.0.7, all versions starting from 16.1 before 16.1.2. An attacker could change the name or path of a public top-level group in certain situations."}], "id": "CVE-2023-3484", "lastModified": "2023-07-31T17:03:19.533", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 6.0, "source": "cve@gitlab.com", "type": "Secondary"}]}, "published": "2023-07-21T14:15:10.010", "references": [{"source": "nvd@nist.gov", "tags": ["Vendor Advisory"], "url": "https://about.gitlab.com/releases/2023/07/05/security-release-gitlab-16-1-2-released/"}, {"source": "cve@gitlab.com", "tags": ["Broken Link"], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/416773"}, {"source": "cve@gitlab.com", "tags": ["Permissions Required"], "url": "https://hackerone.com/reports/2035687"}], "sourceIdentifier": "cve@gitlab.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-840"}], "source": "cve@gitlab.com", "type": "Secondary"}]}