CVE-2023-3914

MEDIUM

GitLab EE <16.2.8, <16.3.5, <16.4.1 - Info Disclosure

Title source: llm

Description

A business logic error in GitLab EE affecting all versions prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows access to internal projects. A service account is not deleted when a namespace is deleted, allowing access to internal projects.

References (2)

[Permissions Required] https://hackerone.com/reports/2040822

[Broken Link] https://gitlab.com/gitlab-org/gitlab/-/issues/418115

Scores

CVSS v3 5.4

EPSS 0.0004

EPSS Percentile 12.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Classification

CWE

CWE-286

Status published

Affected Products (2)

gitlab/gitlab < 16.2.8

gitlab/gitlab

Timeline

Published Sep 29, 2023

Tracked Since Feb 18, 2026