CVE-2023-4378Sensitive Information Exposure in Gitlab

CWE-200Sensitive Information ExposureCWE-201Sensitive Info Insertion into Sent Data8 documents6 sources
Severity
4.3MEDIUMNVD
OSV2.5
EPSS
0.1%
top 69.81%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
GitlabLinux KernelDebian Gitlab+1 more
Timeline
PublishedSep 1

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.8 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. A malicious Maintainer can, under specific circumstances, leak the sentry token by changing the configured URL in the Sentry error tracking settings page. This was as a result of an incomplete fix for CVE-2022-4365.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages5 packages

NVDgitlab/gitlab11.8.016.1.5+2
debiandebian/gitlab< gitlab 16.4.4+ds2-2 (sid)
gitlabgitlab/gitlab
Ubuntulinux/linux_kernel< 4.15.0-206.217

🔴Vulnerability Details

4
OSV
CVE-2023-4378: An issue has been discovered in GitLab CE/EE affecting all versions starting from 112023-09-01
GHSA
GHSA-mp7g-3r25-fq9v: An issue has been discovered in GitLab CE/EE affecting all versions starting from 112023-09-01
OSV
linux, linux-aws, linux-dell300x, linux-gcp-4.15, linux-oracle vulnerabilities2023-03-03
OSV
linux-aws-hwe, linux-oracle vulnerabilities2023-03-03

📋Vendor Advisories

2
GitLab
CVE-2023-4378: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.8 before 16.1.5, all versions starting from 16.2 before 16.2.5, a2023-09-01
Debian
CVE-2023-4378: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro...2023

💬Community

1
Bugzilla
CVE-2023-0458 kernel: speculative pointer dereference in do_prlimit() in kernel/sys.c2023-05-04