CVE-2023-3914

MEDIUM

GitLab EE <16.2.8, <16.3.5, <16.4.1 - Info Disclosure

Title source: llm
STIX 2.1

Description

A business logic error in GitLab EE affecting all versions prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows access to internal projects. A service account is not deleted when a namespace is deleted, allowing access to internal projects.

References (2)

Core 2
Core References
Broken Link issue-tracking permissions-required
https://gitlab.com/gitlab-org/gitlab/-/issues/418115
Permissions Required technical-description exploit permissions-required
https://hackerone.com/reports/2040822

Scores

CVSS v3 5.4
EPSS 0.0004
EPSS Percentile 12.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-286
Status published
Products (5)
gitlab/gitlab 16.4.0
gitlab/gitlab < 16.2.8
GitLab/GitLab < 16.2.8
GitLab/GitLab 16.3 - 16.3.5
GitLab/GitLab 16.4 - 16.4.1
Published Sep 29, 2023
Tracked Since Feb 18, 2026