CVE-2023-3964

MEDIUM

GitLab 13.2-16.4.2, 16.5-16.5.2, 16.6 - Incorrect Authorization in Package Registry

Title source: llm
STIX 2.1

Description

An issue has been discovered in GitLab affecting all versions starting from 13.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for users to access composer packages on public projects that have package registry disabled in the project settings.

References (2)

Core 2
Core References
Broken Link, Vendor Advisory issue-tracking permissions-required
https://gitlab.com/gitlab-org/gitlab/-/issues/419857
Permissions Required, Third Party Advisory technical-description exploit permissions-required
https://hackerone.com/reports/2037316

Scores

CVSS v3 4.3
EPSS 0.0018
EPSS Percentile 39.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-863
Status published
Products (5)
gitlab/gitlab 16.6.0 (2 CPE variants)
GitLab/GitLab 13.2 - 16.4.3
gitlab/gitlab 13.2.0 - 16.4.3 (2 CPE variants)
GitLab/GitLab 16.5 - 16.5.3
GitLab/GitLab 16.6 - 16.6.1
Published Dec 01, 2023
Tracked Since Feb 18, 2026