Lucene search

GoogleOSV:CVE-2023-4812

HistoryJan 12, 2024 - 2:15 p.m.

CVE-2023-4812

2024-01-1214:15:48

Google

osv.dev

cve-2023-4812

gitlab ee

security bypass

7.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N

6.1 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.0%

JSON

An issue has been discovered in GitLab EE affecting all versions starting from 15.3 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2. The required CODEOWNERS approval could be bypassed by adding changes to a previously approved merge request.

CPENameOperatorVersion
gitlabeq16.6.2-ee
gitlabeq16.6.1-ee
gitlabeq16.6.0-ee

Name	Operator	Version
gitlab	eq	16.6.2-ee
gitlab	eq	16.6.1-ee
gitlab	eq	16.6.0-ee

References

gitlab.com/gitlab-org/gitlab/-/issues/424398

hackerone.com/reports/2115574