Lucene search

GoogleOSV:BIT-GITLAB-2023-3922

HistoryMar 06, 2024 - 11:02 a.m.

BIT-gitlab-2023-3922

2024-03-0611:02:04

Google

osv.dev

gitlab

security

hijack

links

malicious page

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

6.4 Medium

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

17.1%

JSON

An issue has been discovered in GitLab affecting all versions starting from 8.15 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible to hijack some links and buttons on the GitLab UI to a malicious page.

CPENameOperatorVersion
gitlabge16.4.0
gitlabge16.3.0
gitlablt16.2.8
gitlabge8.15.0
gitlable16.4.0
gitlablt16.3.5

Name	Operator	Version
gitlab	ge	16.4.0
gitlab	ge	16.3.0
gitlab	lt	16.2.8
gitlab	ge	8.15.0
gitlab	le	16.4.0
gitlab	lt	16.3.5

References

gitlab.com/gitlab-org/gitlab/-/issues/394770

hackerone.com/reports/1887323