Unauthorized File Access Vulnerability in GitLab Products
CVE-2023-5117

3.7LOW

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 25 December 2024

Summary

An unauthorized access vulnerability was discovered in GitLab CE/EE versions before 17.6.0, which affects how files are handled in confidential issues and epics of public projects. Users may inadvertently expose sensitive files uploaded to comments due to the possibility of accessing these files through a direct link, without authentication. This issue raises significant privacy and data security concerns for users, particularly in collaborative environments where confidentiality is paramount. Users are urged to update to the latest version to mitigate potential risks.

Affected Version(s)

GitLab 0 < 17.6.0

References

https://gitlab.com/gitlab-org/gitlab/-/issues/398250

issue-trackingpermissions-required

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 25, 2024
Vulnerability Reserved
Sep 21, 2023

Credit

This issue was reported internally by team member [Greg Myers](https://gitlab.com/greg).