github - ghsa-96gj-7pcm-7895

ghsa-96gj-7pcm-7895

Vulnerability from github

Published

2023-08-02 00:30

Modified

2024-04-04 06:29

Severity

3.1 (Low) - CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Details

An issue has been discovered in GitLab affecting all versions starting from 12.9 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible to leak a user's email via an error message for groups that restrict membership by email domain.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-1210"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-02T00:15:16Z",
    "severity": "MODERATE"
  },
  "details": "An issue has been discovered in GitLab affecting all versions starting from 12.9 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible to leak a user\u0027s email via an error message for groups that restrict membership by email domain.",
  "id": "GHSA-96gj-7pcm-7895",
  "modified": "2024-04-04T06:29:14Z",
  "published": "2023-08-02T00:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1210"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1884672"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/394775"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

cve-2023-1210

Vulnerability from cvelistv5

Published

2023-08-01 23:36

Modified

2024-09-18 04:03

Severity

3.1 (Low) - cvssV3_1 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Summary

Exposure of Sensitive Information to an Unauthorized Actor in GitLab

References

URL	Tags
https://gitlab.com/gitlab-org/gitlab/-/issues/394775	issue-tracking
https://hackerone.com/reports/1884672	technical-description, exploit, permissions-required

Impacted products

Vendor	Product
GitLab	GitLab

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-1210",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-25T13:26:38.599217Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-25T13:27:17.330Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T05:40:59.650Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "GitLab Issue #394775",
            "tags": [
              "issue-tracking",
              "x_transferred"
            ],
            "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/394775"
          },
          {
            "name": "HackerOne Bug Bounty Report #1884672",
            "tags": [
              "technical-description",
              "exploit",
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/1884672"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "GitLab",
          "repo": "git://git@gitlab.com:gitlab-org/gitlab.git",
          "vendor": "GitLab",
          "versions": [
            {
              "lessThan": "16.0.8",
              "status": "affected",
              "version": "12.9",
              "versionType": "semver"
            },
            {
              "lessThan": "16.1.3",
              "status": "affected",
              "version": "16.1.0",
              "versionType": "semver"
            },
            {
              "lessThan": "16.2.2",
              "status": "affected",
              "version": "16.2.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Thanks [shells3c](https://hackerone.com/shells3c) for reporting this vulnerability through our HackerOne bug bounty program"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue has been discovered in GitLab affecting all versions starting from 12.9 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible to leak a user\u0027s email via an error message for groups that restrict membership by email domain."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-18T04:03:25.183Z",
        "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
        "shortName": "GitLab"
      },
      "references": [
        {
          "name": "GitLab Issue #394775",
          "tags": [
            "issue-tracking"
          ],
          "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/394775"
        },
        {
          "name": "HackerOne Bug Bounty Report #1884672",
          "tags": [
            "technical-description",
            "exploit",
            "permissions-required"
          ],
          "url": "https://hackerone.com/reports/1884672"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to versions 16.2.2, 16.1.3, 16.0.8 or above."
        }
      ],
      "title": "Exposure of Sensitive Information to an Unauthorized Actor in GitLab"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
    "assignerShortName": "GitLab",
    "cveId": "CVE-2023-1210",
    "datePublished": "2023-08-01T23:36:25.668Z",
    "dateReserved": "2023-03-06T20:10:51.153Z",
    "dateUpdated": "2024-09-18T04:03:25.183Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.