CVE-2023-0989

2023-09-2907:15:12

CWE-200

[email protected]

web.nvd.nist.gov

cve-2023-0989

information disclosure

gitlab

ci/cd variables

attack

version 13.11

version 16.4.1

CVSS3

5.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

AI Score

4.7

Confidence

High

EPSS

0.001

Percentile

31.8%

JSON

An information disclosure issue in GitLab CE/EE affecting all versions starting from 13.11 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows an attacker to extract non-protected CI/CD variables by tricking a user to visit a fork with a malicious CI/CD configuration.

Affected configurations

Nvd

Node

gitlabgitlabRange13.11–16.2.8community

gitlabgitlabRange13.11–16.2.8enterprise

gitlabgitlabRange16.3.0–16.3.5community

gitlabgitlabRange16.3.0–16.3.5enterprise

gitlabgitlabMatch16.4.0community

gitlabgitlabMatch16.4.0enterprise

VendorProductVersionCPE
gitlabgitlab*cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
gitlabgitlab*cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
gitlabgitlab16.4.0cpe:2.3:a:gitlab:gitlab:16.4.0:*:*:*:community:*:*:*
gitlabgitlab16.4.0cpe:2.3:a:gitlab:gitlab:16.4.0:*:*:*:enterprise:*:*:*

Vendor	Product	Version	CPE
gitlab	gitlab	*	cpe:2.3:a:gitlab:gitlab:::::community:::*
gitlab	gitlab	*	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
gitlab	gitlab	16.4.0	cpe:2.3:a:gitlab:gitlab:16.4.0::::community:::
gitlab	gitlab	16.4.0	cpe:2.3:a:gitlab:gitlab:16.4.0::::enterprise:::