Lucene search

GoogleOSV:BIT-GITLAB-2023-6564

HistoryMar 06, 2024 - 10:54 a.m.

BIT-gitlab-2023-6564

2024-03-0610:54:37

Google

osv.dev

gitlab

ee premium

ultimate

subgroup

push

merge

protected branches

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

6.9 Medium

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

16.2%

JSON

An issue has been discovered in GitLab EE Premium and Ultimate affecting versions 16.4.3, 16.5.3, and 16.6.1. In projects using subgroups to define who can push and/or merge to protected branches, there may have been instances in which subgroup members with the Developer role were able to push or merge to protected branches.

CPENameOperatorVersion
gitlable16.5.3
gitlable16.4.3
gitlabge16.6.1
gitlabge16.5.3
gitlabge16.4.3
gitlable16.6.1

Name	Operator	Version
gitlab	le	16.5.3
gitlab	le	16.4.3
gitlab	ge	16.6.1
gitlab	ge	16.5.3
gitlab	ge	16.4.3
gitlab	le	16.6.1

References

gitlab.com/gitlab-com/gl-infra/production/-/issues/17213

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

6.9 Medium

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

16.2%

JSON

Related for OSV:BIT-GITLAB-2023-6564