GitLabVULNRICHMENT:CVE-2023-3950CVE-2023-3950 Cleartext Storage of Sensitive Information in GitLab
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
AI Score
Confidence
Low
EPSS
Percentile
21.6%
SSVC
Exploitation
poc
Automatable
no
Technical Impact
partial
An information disclosure issue in GitLab EE affecting all versions from 16.2 prior to 16.2.5, and 16.3 prior to 16.3.1 allowed other Group Owners to see the Public Key for a Google Cloud Logging audit event streaming destination, if configured. Owners can now only write the key, not read it.
ADP Affected
[
{
"cpes": [
"cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
],
"vendor": "gitlab",
"product": "gitlab",
"versions": [
{
"status": "affected",
"version": "16.2",
"lessThan": "16.2.5",
"versionType": "semver"
},
{
"status": "affected",
"version": "16.3",
"lessThan": "16.3.1",
"versionType": "semver"
}
],
"defaultStatus": "unknown"
}
]Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
AI Score
Confidence
Low
EPSS
Percentile
21.6%
SSVC
Exploitation
poc
Automatable
no
Technical Impact
partial