Rapid7

vulnerability

FreeBSD: VID-3b14b2b4-9014-11ee-98b3-001b217b3468 (CVE-2023-3443): Gitlab -- Vulnerabilities

Severity
3
CVSS
(AV:N/AC:M/Au:S/C:N/I:P/A:N)
Published
Dec 1, 2023
Added
Dec 2, 2023
Modified
Mar 25, 2026

Description

Gitlab reports: XSS and ReDoS in Markdown via Banzai pipeline of Jira Members with admin_group_member custom permission can add members with higher role Release Description visible in public projects despite release set as project members only through atom response Manipulate the repository content in the UI (CVE-2023-3401 bypass) External user can abuse policy bot to gain access to internal projects Client-side DOS via Mermaid Flowchart Developers can update pipeline schedules to use protected branches even if they don't have permission to merge Users can install Composer packages from public projects even when Package registry is turned off Unauthorized member can gain Allowed to push and merge access and affect integrity of protected branches Guest users can react (emojis) on confidential work items which they cant see in a project

Solution

freebsd-upgrade-package-gitlab-ce
Title
Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.