CVE-2023-3413
published 2023-09-29CVE-2023-3413: An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions…
PriorityP339high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.62%
45.4th percentile
An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible to read the source code of a project through a fork created before changing visibility to only project members.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 16.4.4+ds2-2 (sid) | gitlab 16.4.4+ds2-2 (sid) |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | >= 16.2 < 16.2.8 | 16.2.8 |
| gitlab | gitlab | >= 16.3 < 16.3.5 | 16.3.5 |
| gitlab | gitlab | >= 16.3.0 < 16.3.5 | 16.3.5 |
| gitlab | gitlab | >= 16.4 < 16.4.1 | 16.4.1 |
| linux | linux_kernel | >= 5.15.0 < 5.15.111 | 5.15.111 |
| linux | linux_kernel | >= 5.16.0 < 6.1.28 | 6.1.28 |
| linux | linux_kernel | >= 6.2.0 < 6.2.15 | 6.2.15 |
| linux | linux_kernel | >= 6.3.0 < 6.3.2 | 6.3.2 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
ghsa5.5MEDIUM
osv7.5HIGH
vendor_debian6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
fs/ntfs3: Fix OOB read in indx_insert_into_buffer
osv·2025-12-24
CVE-2023-54063 fs/ntfs3: Fix OOB read in indx_insert_into_buffer
fs/ntfs3: Fix OOB read in indx_insert_into_buffer
In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: Fix OOB read in indx_insert_into_buffer
Syzbot reported a OOB read bug:
BUG: KASAN: slab-out-of-bounds in indx_insert_into_buffer+0xaa3/0x13b0
fs/ntfs3/index.c:1755
Read of size 17168 at addr ffff8880255e06c0 by task syz-executor308/3630
Call Trace:
memmove+0x25/0x60 mm/kasan/shadow.c:54
indx_insert_into_buffer+0xaa3/0x13b0 fs/ntfs3/index.c:1755
indx_insert_entry+0x446/0x6b0 fs/ntfs3/index.c:1863
ntfs_create_inode+0x1d3f/0x35c0 fs/ntfs3/inode.c:1548
ntfs_create+0x3e/0x60 fs/ntfs3/namei.c:100
lookup_open fs/namei.c:3413 [inline]
If the member struct INDEX_BUFFER *index of struct indx_node is
incorrect, that is, the value of __le32 used is greater than the va
GHSA
Insecure Temporary File in RESTEasy
ghsa·2025-01-15·CVSS 5.5
CVE-2023-0482 [MEDIUM] CWE-378 Insecure Temporary File in RESTEasy
Insecure Temporary File in RESTEasy
### Impact
In RESTEasy the insecure `File.createTempFile()` is used in the `DataSourceProvider`, `FileProvider` and `Mime4JWorkaround` classes which creates temp files with insecure permissions that could be read by a local user.
### Patches
Fixed in the following pull requests:
* https://github.com/resteasy/resteasy/pull/3409 (7.0.0.Alpha1)
* https://github.com/resteasy/resteasy/pull/3423 (6.2.3.Final)
* https://github.com/resteasy/resteasy/pull/3412 (5.0.6.Final)
* https://github.com/resteasy/resteasy/pull/3413 (4.7.8.Final)
* https://github.com/resteasy/resteasy/pull/3410 (3.15.5.Final)
### Workarounds
There is no workaround for this issue.
### References
* https://nvd.nist.gov/vuln/detail/CVE-2023-0482
* https://bugzilla.redhat.com/show_bug.cgi?
OSV
CVE-2023-3413: An issue has been discovered in GitLab affecting all versions starting from 16
osv·2023-09-29·CVSS 7.5
CVE-2023-3413 [HIGH] CVE-2023-3413: An issue has been discovered in GitLab affecting all versions starting from 16
An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible to read the source code of a project through a fork created before changing visibility to only project members.
GHSA
GHSA-v9r7-fcc3-gg2v: An issue has been discovered in GitLab affecting all versions starting from 16
ghsa_unreviewed·2023-09-29
CVE-2023-3413 [HIGH] CWE-200 GHSA-v9r7-fcc3-gg2v: An issue has been discovered in GitLab affecting all versions starting from 16
An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible to read the source code of a project through a fork created before changing visibility to only project members.
Red Hat
kernel: fs/ntfs3: Fix OOB read in indx_insert_into_buffer
vendor_redhat·2025-12-24
CVE-2023-54063 kernel: fs/ntfs3: Fix OOB read in indx_insert_into_buffer
kernel: fs/ntfs3: Fix OOB read in indx_insert_into_buffer
In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: Fix OOB read in indx_insert_into_buffer
Syzbot reported a OOB read bug:
BUG: KASAN: slab-out-of-bounds in indx_insert_into_buffer+0xaa3/0x13b0
fs/ntfs3/index.c:1755
Read of size 17168 at addr ffff8880255e06c0 by task syz-executor308/3630
Call Trace:
memmove+0x25/0x60 mm/kasan/shadow.c:54
indx_insert_into_buffer+0xaa3/0x13b0 fs/ntfs3/index.c:1755
indx_insert_entry+0x446/0x6b0 fs/ntfs3/index.c:1863
ntfs_create_inode+0x1d3f/0x35c0 fs/ntfs3/inode.c:1548
ntfs_create+0x3e/0x60 fs/ntfs3/namei.c:100
lookup_open fs/namei.c:3413 [inline]
If the member struct INDEX_BUFFER *index of struct indx_node is
incorrect, that is, the value of __le32 used is greater than the
GitLab
CVE-2023-3413: An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all ver
vendor_gitlab·2023-09-29·CVSS 6.5
CVE-2023-3413 [MEDIUM] CWE-201 CVE-2023-3413: An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all ver
CVE-2023-3413: An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible to read the source code of a project through a fork created before changing visibility to only project members.
Debian
CVE-2023-3413: gitlab - An issue has been discovered in GitLab affecting all versions starting from 16.2...
vendor_debian·2023·CVSS 6.5
CVE-2023-3413 [MEDIUM] CVE-2023-3413: gitlab - An issue has been discovered in GitLab affecting all versions starting from 16.2...
An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible to read the source code of a project through a fork created before changing visibility to only project members.
Scope: local
sid: resolved (fixed in 16.4.4+ds2-2)
No detection rules found.
No public exploits indexed.
2023-09-29
Published