CVE-2023-5612: Missing Authorization in GitLab
First published: Fri Jan 26 2024(Updated: )
An issue has been discovered in GitLab affecting all versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. It was possible to read the user email address via tags feed although the visibility in the user profile has been disabled.
Credit: cve@gitlab.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GitLab | <16.6.6 | |
| GitLab | <16.6.6 | |
| GitLab | >=16.7.0<16.7.4 | |
| GitLab | >=16.7.0<16.7.4 | |
| GitLab | =16.8.0 | |
| GitLab | =16.8.0 |
Remedy
Upgrade to versions 16.8.1, 16.7.4, 16.6.6 or above.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2023-5612?
CVE-2023-5612 is classified as a critical vulnerability due to its impact on user privacy.
How do I fix CVE-2023-5612?
To fix CVE-2023-5612, update GitLab to version 16.6.6 or higher, or to versions 16.7.4 or 16.8.1.
What versions are affected by CVE-2023-5612?
CVE-2023-5612 affects all GitLab versions prior to 16.6.6, 16.7 before 16.7.4, and 16.8 before 16.8.1.
What information was exposed in CVE-2023-5612?
CVE-2023-5612 allowed unauthorized access to user email addresses via the tags feed.
Can CVE-2023-5612 affect both GitLab Community and Enterprise editions?
Yes, CVE-2023-5612 impacts both GitLab Community and Enterprise editions.
- agent/remedy
- agent/references
- agent/first-publish-date
- agent/type
- agent/description
- agent/severity
- agent/author
- agent/event
- agent/softwarecombine
- agent/title
- agent/weakness
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/gitlab
- canonical/gitlab
- version/gitlab/16.7.0
- version/gitlab/16.8.0