CVE-2023-4658
Published: 1 December 2023
An issue has been discovered in GitLab EE affecting all versions starting from 8.13 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to abuse the `Allowed to merge` permission as a guest user, when granted the permission through a group.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
gitlab Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(gitlab EE only)
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Not vulnerable
(gitlab EE only)
|
|
| upstream |
Not vulnerable
(debian: Specific to EE)
|
|
| xenial |
Not vulnerable
(gitlab EE only)
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 3.1 |
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N |