Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-3385

An issue has been discovered in GitLab affecting all versions starting from 8.10 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. Under specific circumstances, a user importing a project 'from export' could access and read unrelated files via uploading a specially crafted file. This was due to a bug in `tar`, fixed in [`tar-1.35`](https://lists.gnu.org/archive/html/info-gnu/2023-07/msg00005.html).

Published

2023-08-02T00:15:18.690

Last Modified

2024-11-21T08:17:09.233

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.3 (MEDIUM)

Weaknesses

Type: Secondary
CWE-22
Type: Primary
CWE-22

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	gitlab	gitlab	< 16.0.8	Yes
Application	gitlab	gitlab	< 16.0.8	Yes
Application	gitlab	gitlab	< 16.1.3	Yes
Application	gitlab	gitlab	< 16.1.3	Yes
Application	gitlab	gitlab	< 16.2.2	Yes
Application	gitlab	gitlab	< 16.2.2	Yes

References

https://gitlab.com/gitlab-org/gitlab/-/issues/416161 Broken Link ([email protected])
https://hackerone.com/reports/2032730 Permissions Required ([email protected])
https://gitlab.com/gitlab-org/gitlab/-/issues/416161 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/2032730 Permissions Required (af854a3a-2127-422b-91ae-364da2661108)