Main Vulnerability Database Vulnerabilities #VU84413

Improper access control in GitLab Enterprise Edition - CVE-2023-6564

Published: December 14, 2023

Vulnerability identifier: #VU84413

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-6564

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
GitLab Enterprise Edition

Software vendor:
GitLab, Inc

Description

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to in projects using subgroups to define who can push and/or merge to protected branches, there may have been instances in which subgroup members with the Developer role were able to push or merge to protected branches.

Remediation

Install updates from vendor's website.

External links

https://about.gitlab.com/releases/2023/12/13/security-release-gitlab-16-6-2-released/

Improper access control in GitLab Enterprise Edition - CVE-2023-6564

Description

Remediation

External links

Please verify you're human