Lucene search

Veracode Vulnerability DatabaseVERACODE:42537

HistoryAug 07, 2023 - 12:18 a.m.

Open Redirect

2023-08-0700:18:28

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

gitlab

open redirect

url validation

vulnerability

attacker

malicious urls

arbitrary content

user-controlled markdown

software

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L

0.001 Low

EPSS

Percentile

40.8%

JSON

gitlab is vulnerable to Open Redirect. The vulnerability exists due to the lack of URL validation in the library, which allows an attacker to redirect users to malicious URLs and frame arbitrary content on any page allowing user-controlled markdown.

CPENameOperatorVersion
gitlab:sideq13.4.7-2
gitlab:sideq13.3.9-1
gitlab:sideq13.4.7-2
gitlab:sideq13.3.9-1

Name	Operator	Version
gitlab:sid	eq	13.4.7-2
gitlab:sid	eq	13.3.9-1
gitlab:sid	eq	13.4.7-2
gitlab:sid	eq	13.3.9-1

References

gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-0155.json

gitlab.com/gitlab-org/gitlab/-/issues/387638

hackerone.com/reports/1817250

security-tracker.debian.org/tracker/CVE-2023-0155