CVE-2023-2576 Improper Access Control in GitLab

2023-07-1302:08:59

CWE-284

GitLab

www.cve.org

cve-2023-2576

improper access control

gitlab

codeowners

protected branch

unauthorized merging

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

AI Score

4.8

Confidence

High

EPSS

0.001

Percentile

21.4%

JSON

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. This allowed a developer to remove the CODEOWNERS rules and merge to a protected branch.

CNA Affected

[
  {
    "vendor": "GitLab",
    "product": "GitLab",
    "repo": "git://[email protected]:gitlab-org/gitlab.git",
    "versions": [
      {
        "version": "13.7",
        "status": "affected",
        "lessThan": "15.11.10",
        "versionType": "semver"
      },
      {
        "version": "16.0",
        "status": "affected",
        "lessThan": "16.0.6",
        "versionType": "semver"
      },
      {
        "version": "16.1",
        "status": "affected",
        "lessThan": "16.1.1",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]