CVE-2023-3950

{"id": "CVE-2023-3950", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve@gitlab.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.8, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 1.2}]}, "published": "2023-09-01T11:15:42.457", "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/419675", "tags": ["Broken Link"], "source": "cve@gitlab.com"}, {"url": "https://hackerone.com/reports/2079154", "tags": ["Permissions Required"], "source": "cve@gitlab.com"}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/419675", "tags": ["Broken Link"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://hackerone.com/reports/2079154", "tags": ["Permissions Required"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "cve@gitlab.com", "description": [{"lang": "en", "value": "CWE-312"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-312"}]}], "descriptions": [{"lang": "en", "value": "An information disclosure issue in GitLab EE affecting all versions from 16.2 prior to 16.2.5, and 16.3 prior to 16.3.1 allowed other Group Owners to see the Public Key for a Google Cloud Logging audit event streaming destination, if configured. Owners can now only write the key, not read it."}, {"lang": "es", "value": "Un problema de divulgaci\u00f3n de informaci\u00f3n en GitLab EE que afectaba a todas las versiones desde la 16.2 hasta la 16.2.5, y desde la 16.3 hasta la 16.3.1 permit\u00eda a otros propietarios de grupo ver la clave p\u00fablica de un destino de transmisi\u00f3n de eventos de auditor\u00eda de Google Cloud Logging, si estaba configurado. Ahora los propietarios solo pueden escribir la clave, no leerla. "}], "lastModified": "2024-11-21T08:18:23.267", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "18116007-7452-495F-80A1-39499882656E", "versionEndExcluding": "16.2.5", "versionStartIncluding": "16.2"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "4E03E8BA-63C8-47D5-B5A1-26DF199E1F65", "versionEndExcluding": "16.2.5", "versionStartIncluding": "16.2"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:16.3.0:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "EE9B8DE8-9990-494B-BDBE-F867DDBB9D57"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:16.3.0:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "08D6B555-39B6-493D-8460-3DC998BAF651"}], "operator": "OR"}]}], "sourceIdentifier": "cve@gitlab.com"}