Lucene search

[email protected]CVE-2023-3906

HistorySep 29, 2023 - 7:15 a.m.

CVE-2023-3906

2023-09-2907:15:13

CWE-1333

CWE-20

[email protected]

web.nvd.nist.gov

193

cve-2023-3906

input validation

gitlab ee

asset proxy

authentication bypass

security vulnerability

nvd

3.5 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

3.5 Low

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

14.2%

JSON

An input validation issue in the asset proxy in GitLab EE, affecting all versions from 12.3 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1, allowed an authenticated attacker to craft image urls which bypass the asset proxy.

Affected configurations

NVD

Node

gitlabgitlabRange12.3–16.2.8community

gitlabgitlabRange12.3–16.2.8enterprise

gitlabgitlabRange16.3.0–16.3.5community

gitlabgitlabRange16.3.0–16.3.5enterprise

gitlabgitlabMatch16.4.0community

gitlabgitlabMatch16.4.0enterprise

CPENameOperatorVersion
gitlab:gitlabgitlablt16.2.8
gitlab:gitlabgitlablt16.3.5
gitlab:gitlabgitlabeq16.4.0

CPE	Name	Operator	Version
gitlab:gitlab	gitlab	lt	16.2.8
gitlab:gitlab	gitlab	lt	16.3.5
gitlab:gitlab	gitlab	eq	16.4.0

CNA Affected

[
  {
    "vendor": "GitLab",
    "product": "GitLab",
    "repo": "git://[email protected]:gitlab-org/gitlab.git",
    "versions": [
      {
        "version": "12.3",
        "status": "affected",
        "lessThan": "16.2.8",
        "versionType": "semver"
      },
      {
        "version": "16.3",
        "status": "affected",
        "lessThan": "16.3.5",
        "versionType": "semver"
      },
      {
        "version": "16.4",
        "status": "affected",
        "lessThan": "16.4.1",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]