CVE-2023-6564

Published: Feb 8, 2024Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

An issue has been discovered in GitLab EE Premium and Ultimate affecting versions 16.4.3, 16.5.3, and 16.6.1. In projects using subgroups to define who can push and/or merge to protected branches, there may have been instances in which subgroup members with the Developer role were able to push or merge to protected branches.

Affected (3)

Products: Gitlab: Gitlab

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Gitlab Gitlab	Version 16.4.3
Gitlab Gitlab	Version 16.5.3
Gitlab Gitlab	Version 16.6.1

Related CWEs

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (2)

https://gitlab.com/gitlab-com/gl-infra/production/-/issues/17213

Source: cve@gitlab.com

Issue TrackingPermissions Required

https://gitlab.com/gitlab-com/gl-infra/production/-/issues/17213

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPermissions Required

Timeline

No history available yet.