CVE-2023-4379: Incorrect Authorization in GitLab
First published: Thu Nov 09 2023(Updated: )
An issue has been discovered in GitLab EE affecting all versions starting from 15.3 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. Code owner approval was not removed from merge requests when the target branch was updated.
Credit: cve@gitlab.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GitLab GitLab | >=15.3.0<16.2.8 | |
| GitLab GitLab | >=16.3.0<16.3.5 | |
| GitLab GitLab | =16.4.0 |
Remedy
Upgrade to version 16.2.8, 16.3.5, 16.4.1 or above
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-4379?
CVE-2023-4379 is a vulnerability in GitLab EE that allows improper access control.
Which versions of GitLab EE are affected by CVE-2023-4379?
All versions starting from 15.3 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 are affected by CVE-2023-4379.
What is the severity of CVE-2023-4379?
CVE-2023-4379 has a severity rating of 8.1 (High).
How does CVE-2023-4379 work?
CVE-2023-4379 allows code owner approval to remain on merge requests even when the target branch is updated in GitLab EE.
Is there a fix available for CVE-2023-4379?
Yes, the fix is available in GitLab versions 16.2.8, 16.3.5, and 16.4.1.
- agent/type
- agent/event
- agent/first-publish-date
- agent/references
- agent/remedy
- agent/severity
- agent/author
- agent/softwarecombine
- agent/description
- agent/tags
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/weakness
- agent/title
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- vendor/gitlab
- canonical/gitlab gitlab
- version/gitlab gitlab/15.3.0
- version/gitlab gitlab/16.3.0
- version/gitlab gitlab/16.4.0