CVE-2023-6152: Incorrect Authorization

February 13, 2024

A user changing their email after signing up and verifying it can change it without verification in profile settings.

The configuration option “verify_email_enabled” will only validate email only on sign up.

References

github.com/advisories/GHSA-3hv4-r2fm-h27f
github.com/grafana/bugbounty/security/advisories/GHSA-3hv4-r2fm-h27f

Detect and mitigate CVE-2023-6152 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →