CVE-2023-3950

MEDIUM

Gitlab < 16.2.5 - Cleartext Storage

Title source: rule

Description

An information disclosure issue in GitLab EE affecting all versions from 16.2 prior to 16.2.5, and 16.3 prior to 16.3.1 allowed other Group Owners to see the Public Key for a Google Cloud Logging audit event streaming destination, if configured. Owners can now only write the key, not read it.

References (2)

[Broken Link] https://gitlab.com/gitlab-org/gitlab/-/issues/419675

[Permissions Required] https://hackerone.com/reports/2079154

Scores

CVSS v3 5.5

EPSS 0.0004

EPSS Percentile 12.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

Classification

CWE

CWE-312

Status published

Affected Products (4)

gitlab/gitlab < 16.2.5

gitlab/gitlab

Timeline

Published Sep 01, 2023

Tracked Since Feb 18, 2026