CVE-2023-3922

LOW

GitLab 8.15-16.2.7, 16.3-16.3.4, 16.4 - Open Redirect via UI Link Hijacking

Title source: llm
STIX 2.1

Description

An issue has been discovered in GitLab affecting all versions starting from 8.15 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible to hijack some links and buttons on the GitLab UI to a malicious page.

References (2)

Core 2
Core References
Issue Tracking, Vendor Advisory issue-tracking permissions-required
https://gitlab.com/gitlab-org/gitlab/-/issues/394770
Permissions Required technical-description exploit permissions-required
https://hackerone.com/reports/1887323

Scores

CVSS v3 3.0
EPSS 0.0006
EPSS Percentile 17.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:L

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-601
Status published
Products (5)
gitlab/gitlab 16.4.0 (2 CPE variants)
GitLab/GitLab 16.2 - 16.2.8
GitLab/GitLab 16.3 - 16.3.5
GitLab/GitLab 16.4 - 16.4.1
gitlab/gitlab 8.15 - 16.2.8 (2 CPE variants)
Published Sep 29, 2023
Tracked Since Feb 18, 2026