CVE Vulnerabilities

CVE-2023-2022

Not Using Password Aging

Published: Aug 02, 2023 | Modified: Nov 21, 2024
CVSS 3.x
4.3
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM

An issue has been discovered in GitLab CE/EE affecting all versions starting before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2, which leads to developers being able to create pipeline schedules on protected branches even if they dont have access to merge

Weakness

The product does not have a mechanism in place for managing password aging.

Affected Software

Name Vendor Start Version End Version
Gitlab Gitlab * 16.0.8 (excluding)
Gitlab Gitlab 16.1 (including) 16.1.3 (excluding)
Gitlab Gitlab 16.2 (including) 16.2.2 (excluding)
Gitlab Ubuntu bionic *
Gitlab Ubuntu esm-apps/xenial *
Gitlab Ubuntu trusty *
Gitlab Ubuntu xenial *

Extended Description

Password aging (or password rotation) is a policy that forces users to change their passwords after a defined time period passes, such as every 30 or 90 days. Without mechanisms such as aging, users might not change their passwords in a timely manner. Note that while password aging was once considered an important security feature, it has since fallen out of favor by many, because it is not as effective against modern threats compared to other mechanisms such as slow hashes. In addition, forcing frequent changes can unintentionally encourage users to select less-secure passwords. However, password aging is still in use due to factors such as compliance requirements, e.g., Payment Card Industry Data Security Standard (PCI DSS).

Potential Mitigations

References