CVE-2023-5612 : An issue has been discovered in GitLab affecting all versions before 16.6.6, 16.

An issue has been discovered in GitLab affecting all versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. It was possible to read the user email address via tags feed although the visibility in the user profile has been disabled.

Published 2024-01-26 02:15:07

Updated 2024-10-03 07:15:24

Source GitLab Inc.

View at NVD, CVE.org

Products affected by CVE-2023-5612

Gitlab » Gitlab » Community Edition
Versions from including (>=) 16.7.0 and before (<) 16.7.4
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
Matching versions
Gitlab » Gitlab » Enterprise Edition
Versions from including (>=) 16.7.0 and before (<) 16.7.4
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
Matching versions
Gitlab » Gitlab » Community Edition
Versions before (<) 16.6.6
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
Matching versions
Gitlab » Gitlab » Enterprise Edition
Versions before (<) 16.6.6
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
Matching versions
Gitlab » Gitlab » Version: 16.8.0 Community Edition
cpe:2.3:a:gitlab:gitlab:16.8.0:*:*:*:community:*:*:*
Matching versions
Gitlab » Gitlab » Version: 16.8.0 Enterprise Edition
cpe:2.3:a:gitlab:gitlab:16.8.0:*:*:*:enterprise:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-5612

EPSS FAQ

0.53%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 77 %

Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2023-5612

GitLab Tags RSS feed email disclosure

Disclosure Date: 2024-01-25

First seen: 2024-03-07

auxiliary/gather/gitlab_tags_rss_feed_email_disclosure

An issue has been discovered in GitLab affecting all versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. It is possible to read the user email address via tags feed although the visibility in the user profile has been disabled. Au

More information

CVSS scores for CVE-2023-5612

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	3.9	1.4	GitLab Inc.	2024-01-26
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	3.9	1.4	NIST	2024-01-31
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None

CWE ids for CVE-2023-5612

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: cve@gitlab.com (Secondary)
CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Assigned by: cve@gitlab.com (Secondary)

References for CVE-2023-5612

https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released/

GitLab Critical Security Release: 16.8.1, 16.7.4, 16.6.6, 16.5.8 | GitLab
Vendor Advisory

CVEs referencing this url
https://gitlab.com/gitlab-org/gitlab/-/issues/428441

Not Found
Broken Link
https://hackerone.com/reports/2208790

Sign in | HackerOne
Permissions Required

Jump to