CVE-2023-3950

Published: Sep 1, 2023Modified: Nov 21, 2024

3.8

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Exploitability: 1.2 / Impact: 2.5

Source: NVD

Description

An information disclosure issue in GitLab EE affecting all versions from 16.2 prior to 16.2.5, and 16.3 prior to 16.3.1 allowed other Group Owners to see the Public Key for a Google Cloud Logging audit event streaming destination, if configured. Owners can now only write the key, not read it.

Affected (4)

Products: Gitlab: Gitlab

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Gitlab Gitlab	From 16.2 to 16.2.5
Gitlab Gitlab	From 16.2 to 16.2.5
Gitlab Gitlab	Version 16.3.0
Gitlab Gitlab	Version 16.3.0

Related CWEs

Cleartext Storage of Sensitive Information

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

References (4)

https://gitlab.com/gitlab-org/gitlab/-/issues/419675

Source: cve@gitlab.com

Broken Link

https://hackerone.com/reports/2079154

Source: cve@gitlab.com

Permissions Required

https://gitlab.com/gitlab-org/gitlab/-/issues/419675

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

https://hackerone.com/reports/2079154

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions Required

Timeline

No history available yet.