Lucene search

GitLabVULNRICHMENT:CVE-2023-4008

HistoryAug 03, 2023 - 6:31 a.m.

CVE-2023-4008 Time-of-check Time-of-use (TOCTOU) Race Condition in GitLab

2023-08-0306:31:21

CWE-367

GitLab

github.com

cve-2023-4008

time-of-check time-of-use

race condition

gitlab

gitlab ce/ee

version 15.9

version 16.0.8

version 16.1

version 16.1.3

version 16.2

version 16.2.2

gitlab pages

unique domain urls

random string

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

6.4

Confidence

Low

EPSS

0.003

Percentile

69.8%

SSVC

Exploitation

poc

Automatable

yes

Technical Impact

partial

JSON

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.9 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible to takeover GitLab Pages with unique domain URLs if the random string added was known.