CVE-2023-2069

MEDIUM

Gitlab < 12.9.8 - Exposure to Wrong Actor

Title source: rule

Description

An issue has been discovered in GitLab affecting all versions starting from 10.0 before 12.9.8, all versions starting from 12.10 before 12.10.7, all versions starting from 13.0 before 13.0.1. A user with the role of developer could use the import project feature to leak CI/CD variables.

References (3)

[Third Party Advisory] https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2069.json

View Writeup ZIP pw:eip

[Broken Link] https://gitlab.com/gitlab-org/gitlab/-/issues/407374

[Permissions Required] https://hackerone.com/reports/1939987

Scores

CVSS v3 6.4

EPSS 0.0027

EPSS Percentile 50.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Classification

CWE

CWE-668

Status published

Affected Products (1)

gitlab/gitlab < 12.9.8

Timeline

Published May 03, 2023

Tracked Since Feb 18, 2026