Main Vulnerability Database Vulnerabilities #VU78865

#VU78865 Information disclosure in GitLab Enterprise Edition - CVE-2023-4002

Published: August 2, 2023

Vulnerability identifier: #VU78865

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-4002

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
GitLab Enterprise Edition

Software vendor:
GitLab, Inc

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the "securityPolicyProjectAssign" mutation does not authorize security policy project ID. A remote user can link any security policy project by its ID to projects or groups the user has access to and reveal the security projects's configured security policies.

Remediation

Install updates from vendor's website.

External links

https://about.gitlab.com/releases/2023/08/01/security-release-gitlab-16-2-2-released/

#VU78865 Information disclosure in GitLab Enterprise Edition - CVE-2023-4002

Description

Remediation

External links

Please verify you're human