4.3

CVE-2023-0508

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. Open redirection was possible via HTTP response splitting in the NPM package API.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GitlabGitlab SwEditioncommunity Version >= 15.4.0 < 15.10.8
GitlabGitlab SwEditionenterprise Version >= 15.4.0 < 15.10.8
GitlabGitlab SwEditioncommunity Version >= 15.11.0 < 15.11.7
GitlabGitlab SwEditionenterprise Version >= 15.11.0 < 15.11.7
GitlabGitlab SwEditioncommunity Version >= 16.0.0 < 16.0.2
GitlabGitlab SwEditionenterprise Version >= 16.0.0 < 16.0.2
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 3.74% 0.876
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 2.8 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
cve@gitlab.com 3.1 1.6 1.4
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

https://hackerone.com/reports/1842314
Third Party Advisory
Permissions Required