First published: Tue Aug 01 2023(Updated: )
An issue has been discovered in GitLab affecting all versions starting from 8.10 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. Under specific circumstances, a user importing a project 'from export' could access and read unrelated files via uploading a specially crafted file. This was due to a bug in `tar`, fixed in [`tar-1.35`](https://lists.gnu.org/archive/html/info-gnu/2023-07/msg00005.html).
Credit: cve@gitlab.com cve@gitlab.com
Affected Software | Affected Version | How to fix |
---|---|---|
GitLab GitLab | >=8.10<16.0.8 | |
GitLab GitLab | >=8.10<16.0.8 | |
GitLab GitLab | >=16.1<16.1.3 | |
GitLab GitLab | >=16.1<16.1.3 | |
GitLab GitLab | >=16.2<16.2.2 | |
GitLab GitLab | >=16.2<16.2.2 |
Upgrade to versions 16.2.2, 16.1.3, 16.0.8 or above.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-3385 is an issue discovered in GitLab affecting certain versions that allows a user to access and read unrelated files.
All versions starting from 8.10 before 16.0.8, all versions starting from 16.1 before 16.1.3, and all versions starting from 16.2 before 16.2.2 of GitLab are affected by CVE-2023-3385.
CVE-2023-3385 has a severity rating of 6.5, which is considered medium.
To fix CVE-2023-3385, you should update GitLab to version 16.2.2 or later, version 16.1.3 or later, or version 16.0.8 or later, depending on the specific version you are using.
You can find more information about CVE-2023-3385 on the GitLab official website and the HackerOne report linked in the references.