CVE-2023-3906

LOW

GitLab EE <16.2.8-16.4.1 - Auth Bypass

Title source: llm

Description

An input validation issue in the asset proxy in GitLab EE, affecting all versions from 12.3 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1, allowed an authenticated attacker to craft image urls which bypass the asset proxy.

References (2)

[Issue Tracking, Vendor Advisory] https://gitlab.com/gitlab-org/gitlab/-/issues/419213

[Permissions Required] https://hackerone.com/reports/2071411

Scores

CVSS v3 3.5

EPSS 0.0027

EPSS Percentile 50.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-1287

Status published

Products (2)

gitlab/gitlab 16.4.0 (2 CPE variants)

gitlab/gitlab 12.3 - 16.2.8 (2 CPE variants)

Published Sep 29, 2023

Tracked Since Feb 18, 2026