ByteOS Network

Vulnerability Details :

CVE-2023-1265

Assigner-GitLab

Assigner Org ID-ceab7361-8a18-47b1-92ba-4d7d25f6715a

Published At-03 May, 2023 | 00:00

Updated At-29 Jan, 2025 | 21:48

An issue has been discovered in GitLab affecting all versions starting from 11.9 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. The condition allows for a privileged attacker, under certain conditions, to obtain session tokens from all users of a GitLab instance.

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:GitLab

Assigner Org ID:ceab7361-8a18-47b1-92ba-4d7d25f6715a

Published At:03 May, 2023 | 00:00

Updated At:29 Jan, 2025 | 21:48

▼CVE Numbering Authority (CNA)

Affected Products

Vendor

GitLab Inc.

Product

GitLab

Versions

Affected

>=11.9, <15.9.6
>=15.10, <15.10.5
>=15.11, <15.11.1

Problem Types

Type	CWE ID	Description
text	N/A	Improper access control in GitLab

Type: text

CWE ID: N/A

Description: Improper access control in GitLab

Metrics

Version	Base score	Base severity	Vector
3.1	5.4	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N

Version: 3.1

Base score: 5.4

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N

Credits

Thanks [joaxcar](https://hackerone.com/joaxcar) for reporting this vulnerability through our HackerOne bug bounty program

References

Hyperlink	Resource
https://gitlab.com/gitlab-org/gitlab/-/issues/394960	N/A
https://hackerone.com/reports/1888690	N/A
https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-1265.json	N/A

Hyperlink: https://gitlab.com/gitlab-org/gitlab/-/issues/394960

Resource: N/A

Hyperlink: https://hackerone.com/reports/1888690

Resource: N/A

Hyperlink: https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-1265.json

Resource: N/A

▼Authorized Data Publishers (ADP)

1. CVE Program Container

References

Hyperlink	Resource
https://gitlab.com/gitlab-org/gitlab/-/issues/394960	x_transferred
https://hackerone.com/reports/1888690	x_transferred
https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-1265.json	x_transferred

Hyperlink: https://gitlab.com/gitlab-org/gitlab/-/issues/394960

Resource:

x_transferred

Hyperlink: https://hackerone.com/reports/1888690

Resource:

x_transferred

Hyperlink: https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-1265.json

Resource:

x_transferred

2. CISA ADP Vulnrichment

Metrics Other Info

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:cve@gitlab.com

Published At:03 May, 2023 | 21:15

Updated At:09 May, 2023 | 20:37

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	4.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
Secondary	3.1	5.4	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N

Type: Primary

Version: 3.1

Base score: 4.5

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

Type: Secondary

Version: 3.1

Base score: 5.4

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N

CPE Matches

GitLab Inc.

>>gitlab>>Versions from 11.9(inclusive) to 15.9.6(exclusive)

cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*

GitLab Inc.

>>gitlab>>Versions from 15.10(inclusive) to 15.10.5(exclusive)

cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*

GitLab Inc.

>>gitlab>>Versions from 15.11(inclusive) to 15.11.1(exclusive)

cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-384	Primary	nvd@nist.gov

CWE ID: CWE-384

Type: Primary

Source: nvd@nist.gov

References

Hyperlink	Source	Resource
https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-1265.json	cve@gitlab.com	Third Party Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/394960	cve@gitlab.com	Broken Link
https://hackerone.com/reports/1888690	cve@gitlab.com	Permissions Required

Hyperlink: https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-1265.json

Source: cve@gitlab.com

Resource:

Third Party Advisory

Hyperlink: https://gitlab.com/gitlab-org/gitlab/-/issues/394960

Source: cve@gitlab.com

Resource:

Broken Link

Hyperlink: https://hackerone.com/reports/1888690

Source: cve@gitlab.com

Resource:

Permissions Required

Similar CVEs

4Records found

CVE-2022-1413

Matching Score-8

Assigner-GitLab Inc.

View Details

Matching Score-8

Assigner-GitLab Inc.

CVSS Score-5.4||MEDIUM

EPSS-0.20% / 42.08%

7 Day CHG~0.00%

Published-19 May, 2022 | 17:11

Updated-03 Aug, 2024 | 00:03

Missing input masking in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 causes potentially sensitive integration properties to be disclosed in the web interface

Vendor-GitLab Inc.

Product-gitlab GitLab

CWE ID-CWE-522

Insufficiently Protected Credentials

CVE-2021-39895

Matching Score-8

Assigner-GitLab Inc.

View Details

Matching Score-8

Assigner-GitLab Inc.

CVSS Score-6||MEDIUM

EPSS-0.28% / 51.05%

7 Day CHG~0.00%

Published-04 Nov, 2021 | 23:11

Updated-04 Aug, 2024 | 02:20

In all versions of GitLab CE/EE since version 8.0, an attacker can set the pipeline schedules to be active in a project export so when an unsuspecting owner imports that project, pipelines are active by default on that project. Under specialized conditions, this may lead to information disclosure if the project is imported from an untrusted source.

Vendor-GitLab Inc.

Product-gitlab GitLab

CVE-2024-5435

Matching Score-8

Assigner-GitLab Inc.

View Details

Matching Score-8

Assigner-GitLab Inc.

CVSS Score-4.5||MEDIUM

EPSS-0.07% / 22.20%

7 Day CHG+0.01%

Published-12 Sep, 2024 | 16:56

Updated-14 Sep, 2024 | 15:05

Generation of Error Message Containing Sensitive Information in GitLab

An issue has been discovered discovered in GitLab EE/CE affecting all versions starting from 15.10 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2 will disclose user password from repository mirror configuration.

Vendor-GitLab Inc.

Product-gitlab GitLab

CWE ID-CWE-209

Generation of Error Message Containing Sensitive Information

CVE-2021-22237

Matching Score-6

Assigner-GitLab Inc.

View Details

Matching Score-6

Assigner-GitLab Inc.

CVSS Score-6.6||MEDIUM

EPSS-0.18% / 39.29%

7 Day CHG~0.00%

Published-25 Aug, 2021 | 18:37

Updated-03 Aug, 2024 | 18:37

Under specialized conditions, GitLab may allow a user with an impersonation token to perform Git actions even if impersonation is disabled. This vulnerability is present in GitLab CE/EE versions before 13.12.9, 14.0.7, 14.1.2

Vendor-GitLab Inc.

Product-gitlab GitLab

CWE ID-CWE-384

Session Fixation

CVE-2023-1265

Credits

Vendors

Products

Metrics (CVSS)

Weaknesses

Attack Patterns

Solution/Workaround

References

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

Stakeholder-Specific Vulnerability Categorization (SSVC)

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History

Similar CVEs