Vulnerability-Lookup

CVE-2023-6955 (GCVE-0-2023-6955)

Vulnerability from cvelistv5 – Published: 2024-01-12 13:56 – Updated: 2025-06-17 21:09

Title

Missing Authorization in GitLab

Summary

A missing authorization check vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. This condition allows an attacker to create a workspace in one group that is associated with an agent from another group.

Severity ?

6.6 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N

CWE

CWE-862 - Missing Authorization

Assigner

GitLab

References

URL

	Vendor	Product	Version
	GitLab	GitLab	Affected: 0 , < 16.5.6 (semver) Affected: 16.6 , < 16.6.4 (semver) Affected: 16.7 , < 16.7.2 (semver) cpe:2.3:a:gitlab:gitlab::::::::

bit-gitlab-2023-6955

Vulnerability from bitnami_vulndb

Published

2024-03-06 10:53

Modified

2025-05-20 10:02

Summary

Missing Authorization in GitLab

Details

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Bitnami",
        "name": "gitlab",
        "purl": "pkg:bitnami/gitlab"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "16.5.6"
            },
            {
              "introduced": "16.6.0"
            },
            {
              "fixed": "16.6.4"
            },
            {
              "introduced": "16.7.0"
            },
            {
              "fixed": "16.7.2"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "type": "CVSS_V3"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-6955"
  ],
  "database_specific": {
    "cpes": [
      "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*",
      "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*",
      "cpe:2.3:a:gitlab:gitlab:16.7.0:*:*:*:community:*:*:*",
      "cpe:2.3:a:gitlab:gitlab:16.7.0:*:*:*:enterprise:*:*:*",
      "cpe:2.3:a:gitlab:gitlab:16.7.1:*:*:*:community:*:*:*",
      "cpe:2.3:a:gitlab:gitlab:16.7.1:*:*:*:enterprise:*:*:*",
      "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
    ],
    "severity": "Medium"
  },
  "details": "A missing authorization check vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. This condition allows an attacker to create a workspace in one group that is associated with an agent from another group.",
  "id": "BIT-gitlab-2023-6955",
  "modified": "2025-05-20T10:02:07.006Z",
  "published": "2024-03-06T10:53:55.060Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/432188"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6955"
    }
  ],
  "schema_version": "1.5.0",
  "summary": "Missing Authorization in GitLab"
}

CVE-2023-6955

Vulnerability from fstec - Published: 19.12.2023

Title

Уязвимость функции Remote Development программной платформы на базе git для совместной работы над кодом GitLab, позволяющая нарушителю получить доступ на чтение, изменение или удаление данных

Description

Уязвимость функции Remote Development программной платформы на базе git для совместной работы над кодом GitLab связана с недостатками разграничения доступа. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, повысить свои привилегии

Severity ?


                    
                      AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N

Vendor

GitLab Inc.

Software Name

Gitlab

Software Version

от 16.1 до 16.1.6 (Gitlab), от 16.2 до 16.2.9 (Gitlab), от 16.3 до 16.3.7 (Gitlab), от 16.4 до 16.4.5 (Gitlab), от 16.6 до 16.6.4 (Gitlab), от 16.7 до 16.7.2 (Gitlab), от 16.5 до 16.5.6 (Gitlab)

Possible Mitigations

Использование рекомендаций: https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/

Reference

https://vuldb.com/ru/?id.250615 https://docs.gitlab.com/ee/user/project/remote_development/ https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/ https://habr.com/ru/news/786144/

CWE

CWE-264, CWE-284

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:H/Au:N/C:C/I:P/A:N",
  "CVSS 3.0": "AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "GitLab Inc.",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "\u043e\u0442 16.1 \u0434\u043e 16.1.6 (Gitlab), \u043e\u0442 16.2 \u0434\u043e 16.2.9 (Gitlab), \u043e\u0442 16.3 \u0434\u043e 16.3.7 (Gitlab), \u043e\u0442 16.4 \u0434\u043e 16.4.5 (Gitlab), \u043e\u0442 16.6 \u0434\u043e 16.6.4 (Gitlab), \u043e\u0442 16.7 \u0434\u043e 16.7.2 (Gitlab), \u043e\u0442 16.5 \u0434\u043e 16.5.6 (Gitlab)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\nhttps://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "19.12.2023",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "15.01.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "15.01.2024",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2024-00285",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2023-6955",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0430\u0440\u0445\u0438\u0442\u0435\u043a\u0442\u0443\u0440\u044b",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Gitlab",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0443\u043d\u043a\u0446\u0438\u0438 Remote Development \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b \u043d\u0430 \u0431\u0430\u0437\u0435 git \u0434\u043b\u044f \u0441\u043e\u0432\u043c\u0435\u0441\u0442\u043d\u043e\u0439 \u0440\u0430\u0431\u043e\u0442\u044b \u043d\u0430\u0434 \u043a\u043e\u0434\u043e\u043c GitLab, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u043d\u0430 \u0447\u0442\u0435\u043d\u0438\u0435, \u0438\u0437\u043c\u0435\u043d\u0435\u043d\u0438\u0435 \u0438\u043b\u0438 \u0443\u0434\u0430\u043b\u0435\u043d\u0438\u0435 \u0434\u0430\u043d\u043d\u044b\u0445",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u0420\u0430\u0437\u0440\u0435\u0448\u0435\u043d\u0438\u044f, \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438 \u0438 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0434\u043e\u0441\u0442\u0443\u043f\u043e\u043c (CWE-264), \u041d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044c \u0434\u043e\u0441\u0442\u0443\u043f\u0430 (CWE-284)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0443\u043d\u043a\u0446\u0438\u0438 Remote Development \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b \u043d\u0430 \u0431\u0430\u0437\u0435 git \u0434\u043b\u044f \u0441\u043e\u0432\u043c\u0435\u0441\u0442\u043d\u043e\u0439 \u0440\u0430\u0431\u043e\u0442\u044b \u043d\u0430\u0434 \u043a\u043e\u0434\u043e\u043c GitLab \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043a\u0430\u043c\u0438 \u0440\u0430\u0437\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u044f \u0434\u043e\u0441\u0442\u0443\u043f\u0430. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u0441\u0432\u043e\u0438 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041d\u0430\u0440\u0443\u0448\u0435\u043d\u0438\u0435 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://vuldb.com/ru/?id.250615\nhttps://docs.gitlab.com/ee/user/project/remote_development/\nhttps://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/\nhttps://habr.com/ru/news/786144/",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-264, CWE-284",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,1)\n\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,6)"
}

GHSA-2W7Q-MJ4W-9CM2

Vulnerability from github – Published: 2024-01-12 15:30 – Updated: 2024-01-12 15:30

Details

An improper access control vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. This condition allows an attacker to create a workspace in one group that is associated with an agent from another group.

Severity ?

6.6 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2023-6955"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-668",
      "CWE-862",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-12T14:15:49Z",
    "severity": "MODERATE"
  },
  "details": "An improper access control vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. This condition allows an attacker to create a workspace in one group that is associated with an agent from another group. ",
  "id": "GHSA-2w7q-mj4w-9cm2",
  "modified": "2024-01-12T15:30:32Z",
  "published": "2024-01-12T15:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6955"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/432188"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GSD-2023-6955

Vulnerability from gsd - Updated: 2023-12-21 06:01

Details

Aliases

CVE-2023-6955

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-6955"
      ],
      "details": "An improper access control vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. This condition allows an attacker to create a workspace in one group that is associated with an agent from another group. ",
      "id": "GSD-2023-6955",
      "modified": "2023-12-21T06:01:24.989032Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@gitlab.com",
        "ID": "CVE-2023-6955",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "GitLab",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "0",
                          "version_value": "16.5.6"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "16.6",
                          "version_value": "16.6.4"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "16.7",
                          "version_value": "16.7.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "GitLab"
            }
          ]
        }
      },
      "credits": [
        {
          "lang": "en",
          "value": "This vulnerability has been discovered internally by GitLab team member Jerry Seto"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "An improper access control vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. This condition allows an attacker to create a workspace in one group that is associated with an agent from another group. "
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-284",
                "lang": "eng",
                "value": "CWE-284: Improper Access Control"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://gitlab.com/gitlab-org/gitlab/-/issues/432188",
            "refsource": "MISC",
            "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/432188"
          }
        ]
      },
      "solution": [
        {
          "lang": "en",
          "value": "Upgrade to versions 16.7.2, 16.6.4, 16.5.6 or above."
        }
      ]
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*",
                    "matchCriteriaId": "69C82A9A-87DA-4974-94B2-0623B86F482D",
                    "versionEndExcluding": "16.5.6",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*",
                    "matchCriteriaId": "FC133DE0-541F-4FEE-ADA5-7A2855BDB7EF",
                    "versionEndExcluding": "16.5.6",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*",
                    "matchCriteriaId": "7198B7E4-9928-4B7D-9D00-6B76CCAC3875",
                    "versionEndExcluding": "16.6.4",
                    "versionStartIncluding": "16.6.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*",
                    "matchCriteriaId": "D294EA47-B2EF-42D6-A92B-93CEA5D209B7",
                    "versionEndExcluding": "16.6.4",
                    "versionStartIncluding": "16.6.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:gitlab:gitlab:16.7.0:*:*:*:community:*:*:*",
                    "matchCriteriaId": "150F88EA-DA27-4042-9778-932904C2FD41",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:gitlab:gitlab:16.7.0:*:*:*:enterprise:*:*:*",
                    "matchCriteriaId": "29C6355F-1CD3-4E4A-AACA-19B497A631D6",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:gitlab:gitlab:16.7.1:*:*:*:community:*:*:*",
                    "matchCriteriaId": "D385A20C-BC93-4BB9-A47D-50C89D4DFA95",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:gitlab:gitlab:16.7.1:*:*:*:enterprise:*:*:*",
                    "matchCriteriaId": "77D86BC4-D4DD-4848-B0FD-0C16A3D2DF89",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "An improper access control vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. This condition allows an attacker to create a workspace in one group that is associated with an agent from another group. "
          },
          {
            "lang": "es",
            "value": "Existe una vulnerabilidad de control de acceso inadecuado en GitLab Remote Development que afecta a todas las versiones anteriores a 16.5.6, 16.6 anterior a 16.6.4 y 16.7 anterior a 16.7.2. Esta condici\u00f3n permite a un atacante crear un workspace en un grupo asociado con un agente de otro grupo."
          }
        ],
        "id": "CVE-2023-6955",
        "lastModified": "2024-01-18T21:16:42.053",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 1.4,
              "source": "nvd@nist.gov",
              "type": "Primary"
            },
            {
              "cvssData": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 1.3,
              "impactScore": 4.7,
              "source": "cve@gitlab.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-01-12T14:15:49.233",
        "references": [
          {
            "source": "cve@gitlab.com",
            "tags": [
              "Broken Link"
            ],
            "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/432188"
          }
        ],
        "sourceIdentifier": "cve@gitlab.com",
        "vulnStatus": "Analyzed",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-668"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          },
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-284"
              }
            ],
            "source": "cve@gitlab.com",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}

CERTFR-2024-AVI-0030

Vulnerability from certfr_avis - Published: 2024-01-12 - Updated: 2024-01-12

De multiples vulnérabilités ont été découvertes dans GitLab. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un contournement de la politique de sécurité et une atteinte à la confidentialité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
GitLab	N/A	Gitlab Community Edition (CE) et Enterprise Edition (EE) versions 16.2.x antérieures à 16.2.9
GitLab	N/A	Gitlab Community Edition (CE) et Enterprise Edition (EE) versions 16.1.x antérieures à 16.1.6
GitLab	N/A	Gitlab Community Edition (CE) et Enterprise Edition (EE) versions 16.4.x antérieures à 16.4.5
GitLab	N/A	Gitlab Community Edition (CE) et Enterprise Edition (EE) versions 16.6.x antérieures à 16.6.4
GitLab	N/A	Gitlab Community Edition (CE) et Enterprise Edition (EE) versions 16.3.x antérieures à 16.3.7
GitLab	N/A	Gitlab Community Edition (CE) et Enterprise Edition (EE) versions 16.7.x antérieures à 16.7.2
GitLab	N/A	Gitlab Community Edition (CE) et Enterprise Edition (EE) versions 16.5.x antérieures à 16.5.6

References

Title

Publication Time

FKIE_CVE-2023-6955

Vulnerability from fkie_nvd - Published: 2024-01-12 14:15 - Updated: 2025-05-05 14:11

Severity ?

6.6 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Summary

References

	URL	Tags
	cve@gitlab.com	https://gitlab.com/gitlab-org/gitlab/-/issues/432188	Issue Tracking, Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://gitlab.com/gitlab-org/gitlab/-/issues/432188	Issue Tracking, Vendor Advisory

Impacted products

Vendor	Product	Version
gitlab	gitlab	*
gitlab	gitlab	*
gitlab	gitlab	*
gitlab	gitlab	*
gitlab	gitlab	16.7.0
gitlab	gitlab	16.7.0
gitlab	gitlab	16.7.1
gitlab	gitlab	16.7.1

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*",
              "matchCriteriaId": "69C82A9A-87DA-4974-94B2-0623B86F482D",
              "versionEndExcluding": "16.5.6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "FC133DE0-541F-4FEE-ADA5-7A2855BDB7EF",
              "versionEndExcluding": "16.5.6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*",
              "matchCriteriaId": "7198B7E4-9928-4B7D-9D00-6B76CCAC3875",
              "versionEndExcluding": "16.6.4",
              "versionStartIncluding": "16.6.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "D294EA47-B2EF-42D6-A92B-93CEA5D209B7",
              "versionEndExcluding": "16.6.4",
              "versionStartIncluding": "16.6.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gitlab:gitlab:16.7.0:*:*:*:community:*:*:*",
              "matchCriteriaId": "150F88EA-DA27-4042-9778-932904C2FD41",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gitlab:gitlab:16.7.0:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "29C6355F-1CD3-4E4A-AACA-19B497A631D6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gitlab:gitlab:16.7.1:*:*:*:community:*:*:*",
              "matchCriteriaId": "D385A20C-BC93-4BB9-A47D-50C89D4DFA95",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gitlab:gitlab:16.7.1:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "77D86BC4-D4DD-4848-B0FD-0C16A3D2DF89",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A missing authorization check vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. This condition allows an attacker to create a workspace in one group that is associated with an agent from another group."
    },
    {
      "lang": "es",
      "value": "Existe una vulnerabilidad de control de acceso inadecuado en GitLab Remote Development que afecta a todas las versiones anteriores a 16.5.6, 16.6 anterior a 16.6.4 y 16.7 anterior a 16.7.2. Esta condici\u00f3n permite a un atacante crear un workspace en un grupo asociado con un agente de otro grupo."
    }
  ],
  "id": "CVE-2023-6955",
  "lastModified": "2025-05-05T14:11:28.143",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.6,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.3,
        "impactScore": 4.7,
        "source": "cve@gitlab.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-01-12T14:15:49.233",
  "references": [
    {
      "source": "cve@gitlab.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/432188"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/432188"
    }
  ],
  "sourceIdentifier": "cve@gitlab.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "cve@gitlab.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-6955 (GCVE-0-2023-6955)

bit-gitlab-2023-6955

Vulnerability from bitnami_vulndb

CVE-2023-6955

GHSA-2W7Q-MJ4W-9CM2

GSD-2023-6955

CERTFR-2024-AVI-0030

Solution

FKIE_CVE-2023-6955

Tags

Sightings

Nomenclature