Cyber Resilience

CVE-2023-0508

Low

Published: 07 June 2023

Published
07 June 2023
Modified
07 January 2025
KEV Added
Patch
CVSS Score v3.1 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
EPSS Score 0.0592 90.8th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-0508 is a low-severity HTTP Request/Response Splitting (CWE-113) vulnerability in Gitlab Gitlab. Its CVSS base score is 3.1 (Low).

Operationally, ranked in the top 9.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, and all versions starting from 16.0 before 16.0.2. The vulnerability is an open redirection that can be triggered via HTTP response splitting in the NPM package API, corresponding to CWE-113. It carries a CVSS 3.1 score of 3.1 reflecting network attack vector, high attack complexity, no required privileges, and required user interaction.

An attacker without authentication can exploit the flaw by crafting a request to the NPM package API that causes a split response, resulting in redirection to an arbitrary destination. Successful exploitation yields limited integrity impact while leaving confidentiality and availability unaffected.

GitLab advisories and the associated issue tracker entries direct administrators to upgrade to the fixed releases 15.10.8, 15.11.7, or 16.0.2. The EPSS score remains flat at 0.0592 with no material increase after disclosure.

EU & UK References

Vulnerability details

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. Open redirection was possible via HTTP response splitting in the…

more

NPM package API.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

gitlab
gitlab
15.4.0 — 15.10.8 · 15.4.0 — 15.10.8 · 15.11.0 — 15.11.7

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References