CVE-2023-5332 Configuration in GitLab

2023-12-0406:30:33

CWE-16

GitLab

www.cve.org

cve-2023-5332 gitlab-ee patch bypass consul

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

AI Score

8.1

Confidence

High

EPSS

0.001

Percentile

48.2%

JSON

Patch in third party library Consul requires ‘enable-script-checks’ to be set to False. This was required to enable a patch by the vendor. Without this setting the patch could be bypassed. This only affects GitLab-EE.

CNA Affected

[
  {
    "cpes": [
      "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
    ],
    "defaultStatus": "unaffected",
    "product": "GitLab",
    "repo": "git://[email protected]:gitlab-org/gitlab.git",
    "vendor": "GitLab",
    "versions": [
      {
        "lessThan": "16.2.8",
        "status": "affected",
        "version": "9.5.0",
        "versionType": "semver"
      },
      {
        "lessThan": "16.3.5",
        "status": "affected",
        "version": "16.3.0",
        "versionType": "semver"
      },
      {
        "lessThan": "16.4.1",
        "status": "affected",
        "version": "16.4",
        "versionType": "semver"
      }
    ]
  }
]