CVE-2023-3949

Source
https://cve.org/CVERecord?id=CVE-2023-3949
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-3949.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-3949
Aliases
Published
2023-12-01T07:02:13.130Z
Modified
2026-04-10T04:59:28.971071Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Insertion of Sensitive Information Into Sent Data in GitLab
Details

An issue has been discovered in GitLab affecting all versions starting from 11.3 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for unauthorized users to view a public projects' release descriptions via an atom endpoint when release access on the public was set to only project members.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/3xxx/CVE-2023-3949.json",
    "cna_assigner": "GitLab",
    "cwe_ids": [
        "CWE-201"
    ]
}
References

Affected packages

Git / gitlab.com/gitlab-org/gitlab

Affected ranges

Type
GIT
Repo
https://gitlab.com/gitlab-org/gitlab
Events
Database specific
{
    "versions": [
        {
            "introduced": "11.3"
        },
        {
            "fixed": "16.4.3"
        }
    ]
}
Type
GIT
Repo
https://gitlab.com/gitlab-org/gitlab
Events
Database specific
{
    "versions": [
        {
            "introduced": "16.5"
        },
        {
            "fixed": "16.5.3"
        }
    ]
}
Type
GIT
Repo
https://gitlab.com/gitlab-org/gitlab
Events
Database specific
{
    "versions": [
        {
            "introduced": "16.6"
        },
        {
            "fixed": "16.6.1"
        }
    ]
}

Affected versions

v16.*
v16.5.0-ee
v16.5.2-ee
v16.6.0-ee

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-3949.json"