CVE-2023-3950 MEDIUM

CVE-2023-3950: Cleartext Storage of Sensitive Information in GitLab

Vendor Gitlab
Product GitLab
Weakness CWE-312 · Cleartext storage
Published September 1, 2023
Last update May 6, 2026

CVSS base score

5.5/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

An information disclosure issue in GitLab EE affecting all versions from 16.2 prior to 16.2.5, and 16.3 prior to 16.3.1 allowed other Group Owners to see the Public Key for a Google Cloud Logging audit event streaming destination, if configured. Owners can now only write the key, not read it.

Key dates

02Disclosure timeline

September 1, 2023 CVE published
May 6, 2026 Record updated