CVE-2023-3949

An issue has been discovered in GitLab affecting all versions starting from 11.3 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for unauthorized users to view a public projects' release descriptions via an atom endpoint when release access on the public was set to only project members.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://gitlab.com/gitlab-org/gitlab/-/issues/419664	Broken Link Vendor Advisory
https://hackerone.com/reports/2079374	Permissions Required Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:16.6.0::::community:::
	cpe:2.3:a:gitlab:gitlab:16.6.0::::enterprise:::

History

03 Oct 2024, 07:15

Type	Values Removed	Values Added
CWE	~~CWE-200~~	CWE-201

06 Dec 2023, 18:31

Type	Values Removed	Values Added
CPE		cpe:2.3:a:gitlab:gitlab:::::enterprise:::* cpe:2.3:a:gitlab:gitlab:::::community:::* cpe:2.3:a:gitlab:gitlab:16.6.0::::enterprise::: cpe:2.3:a:gitlab:gitlab:16.6.0::::community:::
CWE		NVD-CWE-noinfo
First Time		Gitlab Gitlab gitlab
References	~~() https://gitlab.com/gitlab-org/gitlab/-/issues/419664 -~~	() https://gitlab.com/gitlab-org/gitlab/-/issues/419664 - Broken Link, Vendor Advisory
References	~~() https://hackerone.com/reports/2079374 -~~	() https://hackerone.com/reports/2079374 - Permissions Required, Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3

01 Dec 2023, 07:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-12-01 07:15

Updated : 2024-10-03 07:15

NVD link : CVE-2023-3949

Mitre link : CVE-2023-3949

CVE.ORG link : CVE-2023-3949

JSON object : View

Products Affected

gitlab

gitlab

CWE

NVD-CWE-noinfo CWE-201

Insertion of Sensitive Information Into Sent Data

{"id": "CVE-2023-3949", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "cve@gitlab.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2023-12-01T07:15:08.973", "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/419664", "tags": ["Broken Link", "Vendor Advisory"], "source": "cve@gitlab.com"}, {"url": "https://hackerone.com/reports/2079374", "tags": ["Permissions Required", "Third Party Advisory"], "source": "cve@gitlab.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "cve@gitlab.com", "description": [{"lang": "en", "value": "CWE-201"}]}], "descriptions": [{"lang": "en", "value": "An issue has been discovered in GitLab affecting all versions starting from 11.3 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for unauthorized users to view a public projects' release descriptions via an atom endpoint when release access on the public was set to only project members."}, {"lang": "es", "value": "Se ha descubierto un problema en GitLab que afecta a todas las versiones desde 11.3 anteriores a 16.4.3, todas las versiones desde 16.5 anteriores a 16.5.3, todas las versiones desde 16.6 anteriores a 16.6.1. Era posible que usuarios no autorizados vieran las descripciones de la versi\u00f3n de un proyecto p\u00fablico a trav\u00e9s de un endpoint Atom cuando el acceso a la versi\u00f3n p\u00fablica estaba configurado solo para los miembros del proyecto."}], "lastModified": "2024-10-03T07:15:16.393", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "EAC69A79-4900-45F1-A299-E449ED2D0057", "versionEndExcluding": "16.4.3", "versionStartIncluding": "11.3.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "79FABBE9-AC1C-46A9-8337-C2352E29B3C3", "versionEndExcluding": "16.4.3", "versionStartIncluding": "11.3.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "B1AC7763-4EA9-4E9A-8711-FEEA9D111D68", "versionEndExcluding": "16.5.3", "versionStartIncluding": "16.5.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "6B77E904-2562-4F78-A787-7F51871054BA", "versionEndExcluding": "16.5.3", "versionStartIncluding": "16.5.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:16.6.0:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "FAB408DE-FE19-4CD6-B026-44AF7AD36405"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:16.6.0:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "8D5674D6-E26B-4F62-9B59-C15DEEDDB4B1"}], "operator": "OR"}]}], "sourceIdentifier": "cve@gitlab.com"}