www.belgium.be Logo of the federal government

Warning - Multiple vulnerabilities in GitLab

Advisory #2023-25
Affected software: 
GitLab Community Edition
GitLab Enterprise Edition
Several vulnerabilities, including XSS leading to arbitrary actions

CVE-2023-0050: 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)
CVE-2022-4289: 6.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)
CVE-2022-4331: 5.7 (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N)
CVE-2023-0483: 5.5 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N)
CVE-2022-4007: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
CVE-2022-3758  5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)
CVE-2023-0223: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVE-2022-4462:5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)
CVE-2023-1072: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
CVE-2022-3381: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
CVE-2023-1084: 2.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N)


Official manufacturer: https://about.gitlab.com/releases/2023/03/02/security-release-gitlab-15-...


CVE-2023-0050: A specially crafted Kroki diagram could lead to a stored XSS on the client side which allows attackers to perform arbitrary actions on behalf of victims.

CVE-2022-4289: Google IAP details in Prometheus integration were not hidden, could be leaked from instance, group, or project settings to other users.

CVE-2022-4331: If a group with SAML SSO enabled is transferred to a new namespace as a child group, it's possible previously removed malicious maintainer or owner of the child group can still gain access to the group via SSO or a SCIM token to perform actions on the group.

CVE-2023-0483: It was possible for a project maintainer to extract a Datadog integration API key by modifying the site.

CVE-2022-4007: A cross-site scripting vulnerability was found in the title field of work items that allowed attackers to perform arbitrary actions on behalf of victims at client side.

CVE-2022-3758: Due to improper permissions checks an unauthorised user was able to read, add or edit a users private snippet.

CVE-2023-0223: Non-project members could retrieve release descriptions via the API, even if the release visibility is restricted to project members only in the project settings.

CVE-2022-4462: This vulnerability could allow a user to unmask the Discord Webhook URL through viewing the raw API response.

CVE-2023-1072: It was possible to trigger a resource depletion attack due to improper filtering for number of requests to read commits details.

CVE-2022-3381: A crafted URL could be used to redirect users to arbitrary sites.

CVE-2023-1084: A malicious project Maintainer may create a Project Access Token with Owner level privileges using a crafted request.



11 vulnerabilities exist in GitLab Community Edition and Enterprise Edition before versions 15.9.2, 15.8.4 and 15.7.8.

Recommended Actions

The CCB strongly recommend that all installations running a version affected by the issues described above are upgraded to the latest version as soon as possible.


GitLab.com: https://about.gitlab.com/releases/2023/03/02/security-release-gitlab-15-...