CVE-2023-5332
5.9
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
Summary
Patch in third party library Consul requires 'enable-script-checks' to be set to False. This was required to enable a patch by the vendor. Without this setting the patch could be bypassed. This only affects GitLab-EE.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| GitLab | GitLab | 9.5.0 < 16.2.8 | affected |
| GitLab | GitLab | 16.3.0 < 16.3.5 | affected |
| GitLab | GitLab | 16.4 < 16.4.1 | affected |
Weaknesses
- CWE-1395: CWE-1395: Dependency on Vulnerable Third-Party Component
ADP Enrichment
CVE Program Container
Additional References
- https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/8171
- https://www.hashicorp.com/blog/protecting-consul-from-rce-risk-in-specific-configurations
References
- https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/8171
- https://www.hashicorp.com/blog/protecting-consul-from-rce-risk-in-specific-configurations
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.