CVE-2023-0508
Published: 07 June 2023
Summary
CVE-2023-0508 is a low-severity HTTP Request/Response Splitting (CWE-113) vulnerability in Gitlab Gitlab. Its CVSS base score is 3.1 (Low).
Operationally, ranked in the top 9.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, and all versions starting from 16.0 before 16.0.2. The vulnerability is an open redirection that can be triggered via HTTP response splitting in the NPM package API, corresponding to CWE-113. It carries a CVSS 3.1 score of 3.1 reflecting network attack vector, high attack complexity, no required privileges, and required user interaction.
An attacker without authentication can exploit the flaw by crafting a request to the NPM package API that causes a split response, resulting in redirection to an arbitrary destination. Successful exploitation yields limited integrity impact while leaving confidentiality and availability unaffected.
GitLab advisories and the associated issue tracker entries direct administrators to upgrade to the fixed releases 15.10.8, 15.11.7, or 16.0.2. The EPSS score remains flat at 0.0592 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-12555
Vulnerability details
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. Open redirection was possible via HTTP response splitting in the…
more
NPM package API.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.