CVE-2023-4658: Incorrect Authorization in GitLab
First published: Fri Dec 01 2023(Updated: )
An issue has been discovered in GitLab EE affecting all versions starting from 8.13 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to abuse the `Allowed to merge` permission as a guest user, when granted the permission through a group.
Credit: cve@gitlab.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GitLab GitLab | >=8.13.0<16.4.3 | |
| GitLab GitLab | >=16.5.0<16.5.3 | |
| GitLab GitLab | =16.6.0 |
Remedy
Upgrade to versions 16.4.3, 16.5.3, 16.6.1 or above.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-4658?
CVE-2023-4658 is an Improper Access Control vulnerability in GitLab.
Who is affected by CVE-2023-4658?
GitLab EE versions starting from 8.13 before 16.4.3, versions starting from 16.5 before 16.5.3, and version 16.6.0 are affected by CVE-2023-4658.
What is the severity of CVE-2023-4658?
The severity of CVE-2023-4658 is low with a CVSS score of 3.1.
How can an attacker exploit CVE-2023-4658?
An attacker can abuse the 'Allowed to merge' permission as a guest user in GitLab EE.
How can CVE-2023-4658 be fixed?
To fix CVE-2023-4658, upgrade GitLab EE to version 16.4.3, 16.5.3, or 16.6.1 depending on the affected version.
- agent/references
- agent/type
- agent/event
- agent/first-publish-date
- agent/remedy
- agent/severity
- agent/author
- agent/softwarecombine
- agent/description
- agent/tags
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/weakness
- agent/title
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- vendor/gitlab
- canonical/gitlab gitlab
- version/gitlab gitlab/8.13.0
- version/gitlab gitlab/16.5.0
- version/gitlab gitlab/16.6.0