CVE-2023-0508 — Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Respons

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. Open redirection was possible via HTTP response splitting in the NPM package API.

How to fix CVE-2023-0508

To remediate CVE-2023-0508, upgrade the affected package to a fixed version below.

—upgrade to 15.10.8 or later

Is CVE-2023-0508 being exploited?

Moderate — EPSS is 5.9%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

>= 12.9.0, < 15.10.8, >= 15.11.0, < 15.11.7, >= 16.0.0, < 16.0.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References (4)

WEBgitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-0508.json
WEBgitlab.com/gitlab-org/gitlab/-/issues/389328
WEBhackerone.com/reports/1842314
WEBnvd.nist.gov/vuln/detail/CVE-2023-0508