CVE-2023-3922

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-3922
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-3922.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-3922
Aliases
Downstream
Published
2023-09-29T07:30:50.402Z
Modified
2025-11-29T15:10:53.405168Z
Severity
  • 3.0 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:L CVSS Calculator
Summary
URL Redirection to Untrusted Site ('Open Redirect') in GitLab
Details

An issue has been discovered in GitLab affecting all versions starting from 8.15 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible to hijack some links and buttons on the GitLab UI to a malicious page.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/3xxx/CVE-2023-3922.json",
    "cna_assigner": "GitLab",
    "cwe_ids": [
        "CWE-601"
    ]
}
References

Affected packages

Git / gitlab.com/gitlab-org/gitlab

Affected ranges

Type
GIT
Repo
https://gitlab.com/gitlab-org/gitlab
Events
Introduced
3adc0fe6e7c163bedd7faa5f0c4d1e5fbb6bf3c5
Fixed
7fc27fe692abccaed7e2e0ebfea2aadf5140593f
Database specific 
{
    "versions": [
        {
            "introduced": "16.2"
        },
        {
            "fixed": "16.2.8"
        }
    ]
}
Type
GIT
Repo
https://gitlab.com/gitlab-org/gitlab
Events
Introduced
3dfd4e0bcc7eae4330e7fed87ec74bee9a8bdf2d
Fixed
40d6bde8c59f78957b08b3a7cd9622a97b7af981
Database specific 
{
    "versions": [
        {
            "introduced": "16.3"
        },
        {
            "fixed": "16.3.5"
        }
    ]
}
Type
GIT
Repo
https://gitlab.com/gitlab-org/gitlab
Events
Introduced
e4c1c182610739c1b1d10a8eacbea1f5aa837ad6
Fixed
229bc5f59850b16213b035138ad76f65b6724864
Database specific 
{
    "versions": [
        {
            "introduced": "16.4"
        },
        {
            "fixed": "16.4.1"
        }
    ]
}

Affected versions

v16.*

v16.2.0-ee
v16.2.1-ee
v16.2.2-ee
v16.2.3-ee
v16.2.4-ee
v16.2.5-ee
v16.2.6-ee
v16.2.7-ee
v16.3.0-ee
v16.3.1-ee
v16.3.2-ee
v16.3.3-ee
v16.3.4-ee
v16.4.0-ee

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-3922.json"