Vulnerability Details : CVE-2023-3900
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. An invalid 'start_sha' value on merge requests page may lead to Denial of Service as Changes tab would not load.
Vulnerability category: Denial of service
Products affected by CVE-2023-3900
- cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
- cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
- cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
- cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-3900
0.16%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 38 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-3900
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
2.8
|
1.4
|
GitLab Inc. | |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2023-3900
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: cve@gitlab.com (Secondary)
-
The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.Assigned by: cve@gitlab.com (Secondary)
References for CVE-2023-3900
-
https://hackerone.com/reports/2058514
Just a moment...Permissions Required
-
https://gitlab.com/gitlab-org/gitlab/-/issues/418770
Not FoundBroken Link
Jump to