CVE-2023-3906

LOW

GitLab EE <16.2.8-16.4.1 - Auth Bypass

Title source: llm

Description

An input validation issue in the asset proxy in GitLab EE, affecting all versions from 12.3 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1, allowed an authenticated attacker to craft image urls which bypass the asset proxy.

References (2)

[Issue Tracking, Vendor Advisory] https://gitlab.com/gitlab-org/gitlab/-/issues/419213

[Permissions Required] https://hackerone.com/reports/2071411

Scores

CVSS v3 3.5

EPSS 0.0026

EPSS Percentile 48.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Classification

CWE

CWE-1287

Status published

Affected Products (4)

gitlab/gitlab < 16.2.8

gitlab/gitlab

Timeline

Published Sep 29, 2023

Tracked Since Feb 18, 2026