CVE-2023-1936

LOW severity · CVSS 3.5 · CWE-359

3.5CVSS LOW

Summary

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows an attacker to leak the email address of a user who created a service desk issue.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredLow

User interactionRequired

Confidentiality impactLow

Integrity impactNone

Availability impactNone

Exploit probability (EPSS)0%

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Affected products we track (1)

GitLab

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information

NVD record
https://gitlab.com/gitlab-org/gitlab/-/issues/405150
https://hackerone.com/reports/1933829
https://gitlab.com/gitlab-org/gitlab/-/issues/405150
https://hackerone.com/reports/1933829