CVE-2023-4658

Incorrect Authorization in GitLab

CVSS 3.1 LOWEPSS 0.4%CWE-863

Vexday Risk Score

8Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 3.1EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

01 Dec 2023Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

An issue has been discovered in GitLab EE affecting all versions starting from 8.13 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to abuse the `Allowed to merge` permission as a guest user, when granted the permission through a group.

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Affected products

GitLab · GitLab

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://gitlab.com/gitlab-org/gitlab/-/issues/423835 https://hackerone.com/reports/2104540