Unrated severityNVD Advisory· Published Feb 8, 2024· Updated Oct 3, 2024

Incorrect Authorization in GitLab

CVE-2023-6564

Description

An issue has been discovered in GitLab EE Premium and Ultimate affecting versions 16.4.3, 16.5.3, and 16.6.1. In projects using subgroups to define who can push and/or merge to protected branches, there may have been instances in which subgroup members with the Developer role were able to push or merge to protected branches.

Affected products

GitLab Inc./GitLabv5
cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Range: 16.4.3
GitLab Inc./CE/EEllm-fuzzy
Range: = 16.4.3, 16.5.3, 16.6.1
osv-coords
pkg:bitnami/gitlab
Range: >= 16.4.3, < 16.4.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

gitlab.com/gitlab-com/gl-infra/production/-/issues/17213mitreissue-trackingpermissions-required

News mentions

GitLab Security Release: 16.6.2, 16.5.4, 16.4.4
GitLab Security Releases · Dec 13, 2023

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000