CVE-2023-3950

MEDIUM

GitLab 16.2-16.2.5, 16.3-16.3.1 - Unauthenticated Cleartext Storage of Sensitive Information in Google Cloud Logging

Title source: llm
STIX 2.1

Description

An information disclosure issue in GitLab EE affecting all versions from 16.2 prior to 16.2.5, and 16.3 prior to 16.3.1 allowed other Group Owners to see the Public Key for a Google Cloud Logging audit event streaming destination, if configured. Owners can now only write the key, not read it.

References (2)

Core 2
Core References
Broken Link issue-tracking permissions-required
https://gitlab.com/gitlab-org/gitlab/-/issues/419675
Permissions Required technical-description exploit permissions-required
https://hackerone.com/reports/2079154

Scores

CVSS v3 5.5
EPSS 0.0004
EPSS Percentile 13.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-312
Status published
Products (4)
gitlab/gitlab 16.3.0 (2 CPE variants)
gitlab/gitlab 16.2 - 16.2.5 (2 CPE variants)
GitLab/GitLab 16.2 - 16.2.5
GitLab/GitLab 16.3 - 16.3.1
Published Sep 01, 2023
Tracked Since Feb 18, 2026