First published: Fri Sep 29 2023(Updated: )
An information disclosure issue in GitLab CE/EE affecting all versions starting from 13.11 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows an attacker to extract non-protected CI/CD variables by tricking a user to visit a fork with a malicious CI/CD configuration.
Credit: cve@gitlab.com cve@gitlab.com
Affected Software | Affected Version | How to fix |
---|---|---|
GitLab GitLab | >=13.11<16.2.8 | |
GitLab GitLab | >=13.11<16.2.8 | |
GitLab GitLab | >=16.3.0<16.3.5 | |
GitLab GitLab | >=16.3.0<16.3.5 | |
GitLab GitLab | =16.4.0 | |
GitLab GitLab | =16.4.0 |
Upgrade to versions 16.4.1, 16.3.5, 16.2.8 or above.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-0989 is an information disclosure issue in GitLab CE/EE affecting all versions starting from 13.11 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1.
CVE-2023-0989 allows an attacker to extract non-protected CI/CD variables by tricking a user to visit a fork with a malicious CI/CD configuration in GitLab CE/EE.
The severity of CVE-2023-0989 is medium with a severity value of 5.7.
To fix CVE-2023-0989, update GitLab CE/EE to version 16.2.8, 16.3.5, or 16.4.1 or later.
You can find more information about CVE-2023-0989 in the GitLab issue tracker: [https://gitlab.com/gitlab-org/gitlab/-/issues/417275] and in the HackerOne report: [https://hackerone.com/reports/1875515].