Lucene search

Veracode Vulnerability DatabaseVERACODE:42456

HistoryAug 06, 2023 - 9:42 p.m.

Information Disclosure

2023-08-0621:42:50

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

gitlab

information disclosure

vulnerability

authorization

project

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.003 Low

EPSS

Percentile

71.7%

JSON

gitlab is vulnerable to Information Disclosure. This vulnerability exists in the way that GitLab handles project membership. An attacker can exploit this vulnerability by creating a project with a specific name and then adding themselves to the project as a project member. This will allow the attacker to bypass the authorization checks for the project and access the project’s data.

CPENameOperatorVersion
gitlab:sideq13.4.7-2
gitlab:sideq13.3.9-1
gitlab:sideq13.4.7-2
gitlab:sideq13.3.9-1

Name	Operator	Version
gitlab:sid	eq	13.4.7-2
gitlab:sid	eq	13.3.9-1
gitlab:sid	eq	13.4.7-2
gitlab:sid	eq	13.3.9-1

References

gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-0485.json

gitlab.com/gitlab-org/gitlab/-/issues/389191

hackerone.com/reports/1837937

security-tracker.debian.org/tracker/CVE-2023-0485

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.003 Low

EPSS

Percentile

71.7%

JSON

Related for VERACODE:42456