CVE-2023-4630 - OpenCVE

An issue has been discovered in GitLab affecting all versions starting from 10.6 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 in which any user can read limited information about any project's imports.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Gitlab	Gitlab

Configuration 1 [-]

OR	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:16.3.0::::community:::
	cpe:2.3:a:gitlab:gitlab:16.3.0::::enterprise:::

No data.

References

Link	Providers
https://about.gitlab.com/releases/2023/08/31/security-release-gitlab-16-3-1-released/
https://gitlab.com/gitlab-org/gitlab/-/issues/415117

History

Thu, 29 Aug 2024 15:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:gitlab:gitlab::::::::

MITRE

Status: PUBLISHED

Assigner: GitLab

Published: 2023-09-11T13:01:02.519Z

Updated: 2024-08-30T15:19:24.939Z

Reserved: 2023-08-30T13:30:38.495Z

Link: CVE-2023-4630

Vulnrichment

Updated: 2024-08-02T07:31:06.683Z

NVD

Status : Analyzed

Published: 2023-09-11T14:15:09.343

Modified: 2023-09-13T16:50:23.250

Link: CVE-2023-4630

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-4630", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "state": "PUBLISHED", "assignerShortName": "GitLab", "dateReserved": "2023-08-30T13:30:38.495Z", "datePublished": "2023-09-11T13:01:02.519Z", "dateUpdated": "2024-08-30T15:19:24.939Z"}, "containers": {"cna": {"affected": [{"cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "product": "GitLab", "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", "vendor": "GitLab", "versions": [{"lessThan": "16.1.5", "status": "affected", "version": "10.6", "versionType": "semver"}, {"lessThan": "16.2.5", "status": "affected", "version": "16.2", "versionType": "semver"}, {"lessThan": "16.3.1", "status": "affected", "version": "16.3", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "This vulnerability was found internally by a GitLab team member Rodrigo Tomonari."}], "descriptions": [{"lang": "en", "value": "An issue has been discovered in GitLab affecting all versions starting from 10.6 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 in which any user can read limited information about any project's imports."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2024-08-29T15:04:50.019Z"}, "references": [{"name": "GitLab Issue #415117", "tags": ["issue-tracking"], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/415117"}], "solutions": [{"lang": "en", "value": "Upgrade to versions 16.1.5, 16.2.5, 16.3.1 or above."}], "title": "Exposure of Sensitive Information to an Unauthorized Actor in GitLab"}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:31:06.683Z"}, "title": "CVE Program Container", "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/415117", "name": "GitLab Issue #415117", "tags": ["issue-tracking", "x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-30T15:19:12.333205Z", "id": "CVE-2023-4630", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-30T15:19:24.939Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/415117", "name": "GitLab Issue #415117", "tags": ["issue-tracking", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:31:06.683Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-4630", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-30T15:19:12.333205Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-30T15:19:19.968Z"}}], "cna": {"title": "Exposure of Sensitive Information to an Unauthorized Actor in GitLab", "credits": [{"lang": "en", "type": "finder", "value": "This vulnerability was found internally by a GitLab team member Rodrigo Tomonari."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", "vendor": "GitLab", "product": "GitLab", "versions": [{"status": "affected", "version": "10.6", "lessThan": "16.1.5", "versionType": "semver"}, {"status": "affected", "version": "16.2", "lessThan": "16.2.5", "versionType": "semver"}, {"status": "affected", "version": "16.3", "lessThan": "16.3.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to versions 16.1.5, 16.2.5, 16.3.1 or above."}], "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/415117", "name": "GitLab Issue #415117", "tags": ["issue-tracking"]}], "descriptions": [{"lang": "en", "value": "An issue has been discovered in GitLab affecting all versions starting from 10.6 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 in which any user can read limited information about any project's imports."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2024-08-29T15:04:50.019Z"}}}, "cveMetadata": {"cveId": "CVE-2023-4630", "state": "PUBLISHED", "dateUpdated": "2024-08-30T15:19:24.939Z", "dateReserved": "2023-08-30T13:30:38.495Z", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "datePublished": "2023-09-11T13:01:02.519Z", "assignerShortName": "GitLab"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "F9BDADFA-ADB1-488F-AB5A-209A19FC70A2", "versionEndExcluding": "16.1.5", "versionStartIncluding": "10.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "21BFE27A-793C-4B3C-BC89-B341A0777F7E", "versionEndExcluding": "16.1.5", "versionStartIncluding": "10.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "0892F9AB-63DF-4753-9463-34C81A2174B5", "versionEndExcluding": "16.2.5", "versionStartIncluding": "16.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "D678B1CF-DAF8-4A11-80D4-0CB0796A104C", "versionEndExcluding": "16.2.5", "versionStartIncluding": "16.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:16.3.0:*:*:*:community:*:*:*", "matchCriteriaId": "EE9B8DE8-9990-494B-BDBE-F867DDBB9D57", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:16.3.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "08D6B555-39B6-493D-8460-3DC998BAF651", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue has been discovered in GitLab affecting all versions starting from 10.6 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 in which any user can read limited information about any project's imports."}, {"lang": "es", "value": "Se ha descubierto un problema en GitLab que afecta a todas las versiones desde 10.6 anteriores a 16.1.5, todas las versiones desde 16.2 anteriores a 16.2.5, todas las versiones desde 16.3 anteriores a 16.3.1 en el que cualquier usuario puede leer informaci\u00f3n limitada sobre las importaciones de cualquier proyecto."}], "id": "CVE-2023-4630", "lastModified": "2023-09-13T16:50:23.250", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "cve@gitlab.com", "type": "Secondary"}]}, "published": "2023-09-11T14:15:09.343", "references": [{"source": "nvd@nist.gov", "tags": ["Vendor Advisory"], "url": "https://about.gitlab.com/releases/2023/08/31/security-release-gitlab-16-3-1-released/"}, {"source": "cve@gitlab.com", "tags": ["Broken Link"], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/415117"}], "sourceIdentifier": "cve@gitlab.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "cve@gitlab.com", "type": "Secondary"}]}