← back
CVE-2023-3906

Improper Validation of Specified Type of Input in GitLab

CVSS 3.5 LOWEPSS 0.5%CWE-1287
Vexday Risk Score
8Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 3.5EPSS 0.5%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
29 Sep 2023Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
An input validation issue in the asset proxy in GitLab EE, affecting all versions from 12.3 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1, allowed an authenticated attacker to craft image urls which bypass the asset proxy.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Affected products
GitLab · GitLab

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://gitlab.com/gitlab-org/gitlab/-/issues/419213https://hackerone.com/reports/2071411