An issue has been discovered in GitLab affecting all versions starting from 8.10 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. Under specific circumstances, a user importing a project 'from export' could access and read unrelated files via uploading a specially crafted file. This was due to a bug in `tar`, fixed in [`tar-1.35`](https://lists.gnu.org/archive/html/info-gnu/2023-07/msg00005.html).
References
| Link | Resource |
|---|---|
| https://gitlab.com/gitlab-org/gitlab/-/issues/416161 | Broken Link |
| https://hackerone.com/reports/2032730 | Permissions Required |
| https://gitlab.com/gitlab-org/gitlab/-/issues/416161 | Broken Link |
| https://hackerone.com/reports/2032730 | Permissions Required |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 08:17
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.3 |
| References | () https://gitlab.com/gitlab-org/gitlab/-/issues/416161 - Broken Link | |
| References | () https://hackerone.com/reports/2032730 - Permissions Required |
04 Aug 2023, 19:19
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Gitlab gitlab
Gitlab |
|
| References | (MISC) https://gitlab.com/gitlab-org/gitlab/-/issues/416161 - Broken Link | |
| References | (MISC) https://hackerone.com/reports/2032730 - Permissions Required | |
| CPE | cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
| CWE | CWE-22 |
02 Aug 2023, 00:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2023-08-02 00:15
Updated : 2024-11-21 08:17
NVD link : CVE-2023-3385
Mitre link : CVE-2023-3385
CVE.ORG link : CVE-2023-3385
JSON object : View
Products Affected
gitlab
- gitlab
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')