CVE Vulnerabilities

CVE-2021-22263

Improper Privilege Management

Published: Oct 11, 2021 | Modified: Oct 18, 2021
CVSS 3.x
6.5
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
CVSS 2.x
5.5 MEDIUM
AV:N/AC:L/Au:S/C:P/I:P/A:N
RedHat/V2
RedHat/V3
Ubuntu

An issue has been discovered in GitLab affecting all versions starting from 13.0 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. A user account with external status which is granted Maintainer role on any project on the GitLab instance where project tokens are allowed may elevate its privilege to Internal and access Internal projects.

Weakness

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Affected Software

Name Vendor Start Version End Version
Gitlab Gitlab 14.2.0 *
Gitlab Gitlab 14.2.0 *
Gitlab Gitlab 14.1.0 *
Gitlab Gitlab 14.1.0 *
Gitlab Gitlab 13.0.0 *
Gitlab Gitlab 13.0.0 *

Potential Mitigations

References