Unrated severityNVD Advisory· Published Jun 7, 2023· Updated Jan 7, 2025

CVE-2023-2589

Description

An issue has been discovered in GitLab EE affecting all versions starting from 12.0 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. An attacker can clone a repository from a public project, from a disallowed IP, even after the top-level group has enabled IP restrictions on the group.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

GitLab EE IP restriction bypass allows cloning public repositories from disallowed IPs via 'Run CI/CD for external repository' feature.

Vulnerability

An issue in GitLab EE allows bypassing IP restrictions set on groups. An attacker can clone a repository from a public project even after the top-level group has enabled IP restrictions. This affects all versions starting from 12.0 before 15.10.8, all versions starting from 15.11 before 15.11.7, and all versions starting from 16.0 before 16.0.2 [1].

Exploitation

An attacker with a disallowed IP address can create a new project using the "Run CI/CD for external repository" feature and connect it to the restricted repository. This allows the attacker to clone the repository contents despite being blocked by IP restrictions [1].

Impact

Successful exploitation results in unauthorized read access to the repository, leading to information disclosure of the project's files [1].

Mitigation

GitLab has fixed the issue in versions 15.10.8, 15.11.7, and 16.0.2. Users should upgrade to one of these versions or later. No workaround is available [1].

References

Blocked IP address can still get the whole repo by using Run CI/CD for external repository to connect IP restricted repository (#407891) · Issues · GitLab.org / GitLab · GitLab

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

GitLab Inc./CE/EEllm-fuzzy
Range: >=12.0, <15.10.8 || >=15.11, <15.11.7 || >=16.0, <16.0.2
osv-coords
pkg:bitnami/gitlab
Range: >= 12.0.0, < 15.10.8
GitLab Inc./GitLabv5
Range: >=12.0, <15.10.8

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"The "Run CI/CD for external repository" project creation flow does not enforce group-level IP restrictions, allowing blocked IP addresses to clone repository contents."

Attack vector

An attacker whose IP address is blocked by a group's IP restriction can still clone the repository by using the "Run CI/CD for external repository" option when creating a new project [ref_id=1]. The attacker first creates a project via this flow, which connects to the IP-restricted repository and makes all its files accessible. This bypasses the IP restriction that would normally return a 404 when directly accessing the project [ref_id=1]. The attack requires the target group and project to be public, and the attacker must have a valid GitLab account [ref_id=1].

Affected code

The vulnerability involves the "Run CI/CD for external repository" project creation flow, which bypasses IP restrictions enforced at the top-level group level. The issue is tracked in GitLab issue #407891 [ref_id=1].

What the fix does

The advisory does not include a published patch diff. The remediation guidance is to upgrade GitLab EE to versions 15.10.8, 15.11.7, or 16.0.2, which contain the fix for this issue. The fix ensures that IP restrictions are properly enforced during the "Run CI/CD for external repository" project creation flow, preventing blocked IP addresses from accessing repository contents through this bypass.

Preconditions

configThe target group and project must be set to public visibility
authThe attacker must have a valid GitLab account
inputThe attacker's IP address must be blocked by the group's IP restriction settings
configThe top-level group must have IP restrictions enabled

Reproduction

1. Create a public group with IP restrictions enabled and block the attacker's IP address. 2. Create a public project under that group. 3. As the attacker (with blocked IP), go to "Create a project" and choose "Run CI/CD for external repository". 4. Connect to the IP-restricted repository URL (e.g., `https://gitlab.com/repro_1941803/test.git`). 5. The attacker can now view all files of the repository despite their IP being blocked [ref_id=1].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

GitLab Security Release: 16.0.2, 15.11.7, and 15.10.8
GitLab Security Releases · Jun 5, 2023

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000