CVE-2023-0989 — Improper Ownership Management in Gitlab

CWE-282 — Improper Ownership Management CWE-200 — Sensitive Information Exposure5 documents5 sources

Severity

5.7MEDIUMNVD

EPSS

0.1%

top 79.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE

Timeline

PublishedSep 29

Description

An information disclosure issue in GitLab CE/EE affecting all versions starting from 13.11 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows an attacker to extract non-protected CI/CD variables by tricking a user to visit a fork with a malicious CI/CD configuration.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:NExploitability: 2.1 | Impact: 3.6

Affected Packages5 packages

▶CVEListV5gitlab/gitlab16.3 — 16.3.5+2

▶NVDgitlab/gitlab13.11 — 16.2.8+2

▶debiandebian/gitlab< gitlab 16.4.4+ds2-2 (sid)

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

GHSA

GHSA-p32w-wm8h-w433: An information disclosure issue in GitLab CE/EE affecting all versions prior to 16↗2023-09-29

▶

OSV

CVE-2023-0989: An information disclosure issue in GitLab CE/EE affecting all versions starting from 13↗2023-09-29

▶

📋Vendor Advisories

GitLab

CVE-2023-0989: An information disclosure issue in GitLab CE/EE affecting all versions starting from 13.11 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16↗2023-09-29

▶

Debian

CVE-2023-0989: gitlab - An information disclosure issue in GitLab CE/EE affecting all versions starting ...↗2023

▶