CVE-2023-2620 — Sensitive Information Exposure in Gitlab

CWE-200 — Sensitive Information Exposure CWE-201 — Sensitive Info Insertion into Sent Data5 documents5 sources

Severity

3.8LOWNVD

EPSS

0.4%

top 37.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE

Timeline

PublishedJul 13

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.1 prior to 15.11.10, all versions from 16.0 prior to 16.0.6, all versions from 16.1 prior to 16.1.1. A maintainer could modify a webhook URL to leak masked webhook secrets by manipulating other masked portions. This addresses an incomplete fix for CVE-2023-0838.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:NExploitability: 1.2 | Impact: 2.5

Affected Packages4 packages

▶NVDgitlab/gitlab15.1.0 — 15.11.10+2

▶debiandebian/gitlab< gitlab 15.11.11+ds1-1 (sid)

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

GHSA

GHSA-58hc-8hp4-v536: An issue has been discovered in GitLab CE/EE affecting all versions starting from 15↗2023-07-13

▶

OSV

CVE-2023-2620: An issue has been discovered in GitLab CE/EE affecting all versions starting from 15↗2023-07-13

▶

📋Vendor Advisories

GitLab

CVE-2023-2620: An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.1 prior to 15.11.10, all versions from 16.0 prior to 16.0.6, all↗2023-07-13

▶

Debian

CVE-2023-2620: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro...↗2023

▶