CVE-2023-0508

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. Open redirection was possible via HTTP response splitting in the NPM package API.

CVSS v3 3.1 LOW

3.1^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-0508.json	Vendor Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/389328	Broken Link
https://hackerone.com/reports/1842314	Permissions Required Third Party Advisory
https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-0508.json	Vendor Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/389328	Broken Link
https://hackerone.com/reports/1842314	Permissions Required Third Party Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/389328	Broken Link

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*

History

07 Jan 2025, 17:15

Type	Values Removed	Values Added
References	~~() https://gitlab.com/gitlab-org/gitlab/-/issues/389328 - Broken Link~~	() https://gitlab.com/gitlab-org/gitlab/-/issues/389328 - Broken Link

21 Nov 2024, 07:37

Type	Values Removed	Values Added
References	~~() https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-0508.json - Vendor Advisory~~	() https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-0508.json - Vendor Advisory
References	~~() https://gitlab.com/gitlab-org/gitlab/-/issues/389328 - Broken Link~~	() https://gitlab.com/gitlab-org/gitlab/-/issues/389328 - Broken Link
References	~~() https://hackerone.com/reports/1842314 - Permissions Required, Third Party Advisory~~	() https://hackerone.com/reports/1842314 - Permissions Required, Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~4.3~~	v2 : unknown v3 : 3.1

03 Oct 2024, 07:15

Type	Values Removed	Values Added
CWE		CWE-113

14 Jun 2023, 01:10

Type	Values Removed	Values Added
References	~~(CONFIRM) https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-0508.json -~~	(CONFIRM) https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-0508.json - Vendor Advisory
References	~~(MISC) https://hackerone.com/reports/1842314 -~~	(MISC) https://hackerone.com/reports/1842314 - Permissions Required, Third Party Advisory
References	~~(MISC) https://gitlab.com/gitlab-org/gitlab/-/issues/389328 -~~	(MISC) https://gitlab.com/gitlab-org/gitlab/-/issues/389328 - Broken Link
CPE		cpe:2.3:a:gitlab:gitlab:::::community:::* cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
CWE		NVD-CWE-Other
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.3

07 Jun 2023, 17:28

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-06-07 17:15

Updated : 2025-01-07 17:15

NVD link : CVE-2023-0508

Mitre link : CVE-2023-0508

CVE.ORG link : CVE-2023-0508

JSON object : View

Products Affected

gitlab

gitlab

CWE

CWE-113

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

NVD-CWE-Other

3.1 /10