Lucene search

Veracode Vulnerability DatabaseVERACODE:44824

HistoryDec 25, 2023 - 11:58 p.m.

Information Disclosure

2023-12-2523:58:04

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

gitlab

vulnerability

unauthorized access

ci/cd variables

software

8.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

6.5 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

29.6%

JSON

GitLab EE is vulnerable to Information Disclosure.The vulnerability is caused due to improper authorization. It was possible for an unauthorised project or group member to read the CI/CD variables using the custom project templates.

CPENameOperatorVersion
gitlab:sideq13.4.7-2
gitlab:sideq13.3.9-1
gitlab:sideq13.4.7-2
gitlab:sideq13.3.9-1

Name	Operator	Version
gitlab:sid	eq	13.4.7-2
gitlab:sid	eq	13.3.9-1
gitlab:sid	eq	13.4.7-2
gitlab:sid	eq	13.3.9-1

References

gitlab.com/gitlab-org/gitlab/-/issues/416244

hackerone.com/reports/2021616

security-tracker.debian.org/tracker/CVE-2023-3399

8.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

6.5 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

29.6%

JSON

Related for VERACODE:44824