CVE-2023-3949

2023-12-0107:15:08

CWE-200

[email protected]

web.nvd.nist.gov

cve-2023-3949 gitlab version 11.3 to 16.4.3 16.5 to 16.5.3 16.6 to 16.6.1 unauthorized access public projects release descriptions

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

28.9%

JSON

An issue has been discovered in GitLab affecting all versions starting from 11.3 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for unauthorized users to view a public projects’ release descriptions via an atom endpoint when release access on the public was set to only project members.

Affected configurations

Nvd

Node

gitlabgitlabRange11.3.0–16.4.3community

gitlabgitlabRange11.3.0–16.4.3enterprise

gitlabgitlabRange16.5.0–16.5.3community

gitlabgitlabRange16.5.0–16.5.3enterprise

gitlabgitlabMatch16.6.0community

gitlabgitlabMatch16.6.0enterprise

VendorProductVersionCPE
gitlabgitlab*cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
gitlabgitlab*cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
gitlabgitlab16.6.0cpe:2.3:a:gitlab:gitlab:16.6.0:*:*:*:community:*:*:*
gitlabgitlab16.6.0cpe:2.3:a:gitlab:gitlab:16.6.0:*:*:*:enterprise:*:*:*

Vendor	Product	Version	CPE
gitlab	gitlab	*	cpe:2.3:a:gitlab:gitlab:::::community:::*
gitlab	gitlab	*	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
gitlab	gitlab	16.6.0	cpe:2.3:a:gitlab:gitlab:16.6.0::::community:::
gitlab	gitlab	16.6.0	cpe:2.3:a:gitlab:gitlab:16.6.0::::enterprise:::