CVE-2023-5207

HIGH

GitLab CE/EE <16.2.8-16.4.1 - Authenticated RCE

Title source: llm

Description

A vulnerability was discovered in GitLab CE and EE affecting all versions starting 16.0 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. An authenticated attacker could perform arbitrary pipeline execution under the context of another user.

References (3)

[Broken Link] https://gitlab.com/gitlab-org/gitlab/-/issues/425604

[Broken Link] https://gitlab.com/gitlab-org/gitlab/-/issues/425857

[Permissions Required] https://hackerone.com/reports/2174141

Scores

CVSS v3 8.2

EPSS 0.0033

EPSS Percentile 56.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-250

Status published

Products (2)

gitlab/gitlab 16.4.0 (2 CPE variants)

gitlab/gitlab 16.0.0 - 16.2.8 (2 CPE variants)

Published Sep 30, 2023

Tracked Since Feb 18, 2026