Main Vulnerability Database Vulnerabilities #VU84418

#VU84418 Security features bypass in Gitlab Community Edition and GitLab Enterprise Edition - CVE-2023-5512

Published: December 14, 2023

Vulnerability identifier: #VU84418

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-5512

CWE-ID: CWE-254

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Gitlab Community Edition
GitLab Enterprise Edition

Software vendor:
GitLab, Inc

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to the omission of double encoding in file names which facilitates the creation of repositories with malicious content. A remote user can use specific HTML encoding for file names leading for incorrect representation in the UI.

Remediation

Install updates from vendor's website.

External links

https://about.gitlab.com/releases/2023/12/13/security-release-gitlab-16-6-2-released/