CVE-2017-0882 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.3 MEDIUM	NETWORK	LOW	LOW	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 39%

Affected Products (NVD)

Vendor	Product	Version
gitlab	gitlab	8.2.0
gitlab	gitlab	8.2.1
gitlab	gitlab	8.2.2
gitlab	gitlab	8.2.3
gitlab	gitlab	8.2.4
gitlab	gitlab	8.2.5
gitlab	gitlab	8.3.0
gitlab	gitlab	8.3.8
gitlab	gitlab	8.3.9
gitlab	gitlab	8.4.0
gitlab	gitlab	8.4.9
gitlab	gitlab	8.4.10
gitlab	gitlab	8.5.0
gitlab	gitlab	8.5.11
gitlab	gitlab	8.5.12
gitlab	gitlab	8.6.0
gitlab	gitlab	8.6.7
gitlab	gitlab	8.6.8
gitlab	gitlab	8.7.0
gitlab	gitlab	8.7.1
gitlab	gitlab	8.10.0
gitlab	gitlab	8.10.12
gitlab	gitlab	8.10.13
gitlab	gitlab	8.11.0
gitlab	gitlab	8.11.9
gitlab	gitlab	8.11.10
gitlab	gitlab	8.12.0
gitlab	gitlab	8.12.7
gitlab	gitlab	8.12.8
gitlab	gitlab	8.13.0
gitlab	gitlab	8.13.2
gitlab	gitlab	8.13.3
gitlab	gitlab	8.14.0
gitlab	gitlab	8.14.1
gitlab	gitlab	8.14.2
gitlab	gitlab	8.14.3
gitlab	gitlab	8.14.4
gitlab	gitlab	8.14.5
gitlab	gitlab	8.14.6
gitlab	gitlab	8.15.0
gitlab	gitlab	8.15.1
gitlab	gitlab	8.15.2
gitlab	gitlab	8.15.3
gitlab	gitlab	8.15.4
gitlab	gitlab	8.15.5
gitlab	gitlab	8.15.6
gitlab	gitlab	8.15.7
gitlab	gitlab	8.16.0
gitlab	gitlab	8.16.1
gitlab	gitlab	8.16.2
gitlab	gitlab	8.16.3
gitlab	gitlab	8.16.4
gitlab	gitlab	8.16.5
gitlab	gitlab	8.16.6
gitlab	gitlab	8.16.7
gitlab	gitlab	8.17.0
gitlab	gitlab	8.17.1
gitlab	gitlab	8.17.2
gitlab	gitlab	8.17.3

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

gitlab

sid	16.8.4-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

gitlab

artful	ignored
bionic	dne
cosmic	dne
precise	dne
trusty	dne
xenial	not-affected
yakkety	ignored
zesty	ignored

Known Exploits!

Common Weakness Enumeration

CWE-639 - Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References

http://www.securityfocus.com/bid/97157

https://about.gitlab.com/2017/03/20/gitlab-8-dot-17-dot-4-security-release/

https://gitlab.com/gitlab-org/gitlab-ce/commit/43f5a2739dbf8f5c4c16a79f98e2630888f6b5d1

https://gitlab.com/gitlab-org/gitlab-ce/commit/a70346fc6530aa28a98e4aa4cf0f40e2c3bcef6b

https://gitlab.com/gitlab-org/gitlab-ce/commit/cdf396f456472ef8decd9598daa8dc0097cd30c5

https://gitlab.com/gitlab-org/gitlab-ce/issues/29661

http://www.securityfocus.com/bid/97157

https://about.gitlab.com/2017/03/20/gitlab-8-dot-17-dot-4-security-release/

https://gitlab.com/gitlab-org/gitlab-ce/commit/43f5a2739dbf8f5c4c16a79f98e2630888f6b5d1

https://gitlab.com/gitlab-org/gitlab-ce/commit/a70346fc6530aa28a98e4aa4cf0f40e2c3bcef6b

https://gitlab.com/gitlab-org/gitlab-ce/commit/cdf396f456472ef8decd9598daa8dc0097cd30c5

https://gitlab.com/gitlab-org/gitlab-ce/issues/29661