CVE-2023-2181

2023-05-1221:15:09

[email protected]

web.nvd.nist.gov

gitlab

cve-2023-2181

security

vulnerability

refs/replace

content smuggling

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

50.5%

JSON

An issue has been discovered in GitLab affecting all versions before 15.9.8, 15.10.0 before 15.10.7, and 15.11.0 before 15.11.3. A malicious developer could use a git feature called refs/replace to smuggle content into a merge request which would not be visible during review in the UI.

Affected configurations

NVD

Node

gitlabgitlabRange<15.9.8

gitlabgitlabRange15.10.0–15.10.7

gitlabgitlabRange15.11.0–15.11.3

CPENameOperatorVersion
gitlab:gitlabgitlablt15.9.8
gitlab:gitlabgitlablt15.10.7
gitlab:gitlabgitlablt15.11.3

CPE	Name	Operator	Version
gitlab:gitlab	gitlab	lt	15.9.8
gitlab:gitlab	gitlab	lt	15.10.7
gitlab:gitlab	gitlab	lt	15.11.3

CNA Affected

[
  {
    "vendor": "GitLab",
    "product": "GitLab",
    "versions": [
      {
        "version": "<15.9.8",
        "status": "affected"
      },
      {
        "version": ">=15.10, <15.10.7",
        "status": "affected"
      },
      {
        "version": ">=15.11, <15.11.3",
        "status": "affected"
      }
    ]
  }
]