CVE-2023-3914 — Incorrect User Management in Gitlab

CWE-286 — Incorrect User Management4 documents4 sources

Severity

5.3MEDIUMNVD

EPSS

0.0%

top 87.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab EE

Timeline

PublishedSep 29

Description

A business logic error in GitLab EE affecting all versions prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows access to internal projects. A service account is not deleted when a namespace is deleted, allowing access to internal projects.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages5 packages

▶CVEListV5gitlab/gitlab16.3 — 16.3.5+1

▶NVDgitlab/gitlab16.3.0 — 16.3.5+2

▶debiandebian/gitlab

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ee

🔴Vulnerability Details

GHSA

GHSA-6f6c-487w-2449: A business logic error in GitLab EE affecting all versions prior to 16↗2023-09-29

▶

📋Vendor Advisories

GitLab

CVE-2023-3914: A business logic error in GitLab EE affecting all versions prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows access to internal p↗2023-09-29

▶

Debian

CVE-2023-3914: gitlab - A business logic error in GitLab EE affecting all versions prior to 16.2.8, 16.3...↗2023

▶