CVE-2023-4002: Insertion of Sensitive Information Into Sent Data in GitLab
An issue has been discovered in GitLab EE affecting all versions starting from 14.1 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible for EE-licensed users to link any security policy project by its ID to projects or groups the user has access to, potentially revealing the security projects's configured security policies.
Security readout for executives and security teams
Plain-English summary
This is a GitLab Enterprise Edition information disclosure issue. A licensed user with access to a project or group could associate a security policy project by ID and potentially see sensitive security policy configuration. It does not indicate system takeover, but it can expose defensive rules and governance decisions that should be private.
Executive priority
Handle as a moderate-priority confidentiality issue. It is not described as actively exploited or system-compromising, but exposed security policies can weaken governance, detection, and compliance controls. Prioritize patching affected GitLab EE instances and reviewing access to security policy projects.
Technical view
CVE-2023-4002 is CWE-201 in GitLab EE. A low-privileged, EE-licensed user could link a security policy project by ID to projects or groups they could access, potentially revealing configured security policies. The CVSS vector shows network access, high attack complexity, low privileges, no user interaction, and confidentiality-only impact.
Likely exposure
Likely exposure is GitLab EE deployments running 14.1 before 16.0.8, 16.1 before 16.1.3, or 16.2 before 16.2.2. Risk is higher where many licensed users can access projects or groups and security policies contain sensitive governance or detection details.
Exploitation context
The provided sources do not show active exploitation, and the CVE is not listed as KEV. Exploitation requires an authenticated, licensed GitLab EE user and knowledge or discovery of a security policy project ID. The main risk is confidentiality loss, not service disruption or code execution.
Researcher notes
Evidence is limited to the CVE record, CVE List entry, and GitLab issue reference. The affected behavior is policy-project linkage by ID, with possible disclosure of configured security policies. No exploit proof, patch notes beyond fixed version boundaries, or detailed mitigations are present in the provided bundle.
Mitigation direction
Upgrade affected GitLab EE instances to 16.0.8, 16.1.3, 16.2.2, or later supported releases.
Review GitLab vendor guidance and issue 416647 for any environment-specific recommendations.
Limit project and group access to users with a business need.
Treat security policy project details as sensitive and restrict who can view or manage them.
Validation and detection
Inventory GitLab EE versions and compare them against the affected version ranges.
Confirm whether security policy projects are used in affected projects or groups.
Review project and group membership for unnecessary licensed user access.
Check audit or administrative records for unexpected security policy project associations.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-201: Information exposure and cloud metadata lookup
Information exposure and SSRF weaknesses can make discovery, cloud metadata, and credential material review relevant. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-201 · source CWE mapping
Insertion of Sensitive Information Into Sent Data
Insertion of Sensitive Information Into Sent Data represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.