CVE-2023-5198
First published: Fri Sep 29 2023(Updated: )
An issue has been discovered in GitLab affecting all versions prior to 16.2.7, all versions starting from 16.3 before 16.3.5, and all versions starting from 16.4 before 16.4.1. It was possible for a removed project member to write to protected branches using deploy keys.
Credit: cve@gitlab.com cve@gitlab.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Gitlab Gitlab | >=8.15<16.2.8 | |
| Gitlab Gitlab | >=8.15<16.2.8 | |
| Gitlab Gitlab | >=16.3.0<16.3.5 | |
| Gitlab Gitlab | >=16.3.0<16.3.5 | |
| Gitlab Gitlab | =16.4.0 | |
| Gitlab Gitlab | =16.4.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID of this GitLab issue?
The vulnerability ID of this GitLab issue is CVE-2023-5198.
What versions of GitLab are affected by this vulnerability?
This vulnerability affects all versions prior to 16.2.7, all versions starting from 16.3 before 16.3.5, and all versions starting from 16.4 before 16.4.1 of GitLab.
How can a removed project member exploit this vulnerability?
A removed project member can exploit this vulnerability by writing to protected branches using deploy keys.
What is the severity of CVE-2023-5198?
The severity of CVE-2023-5198 is medium.
How can I fix this vulnerability in GitLab?
To fix this vulnerability, you should update GitLab to version 16.2.7 or later for versions prior to 16.3.5, and update to version 16.3.5 or later for versions starting from 16.3 before 16.4.1.
- collector/nvd-api
- collector/nvd-index
- agent/references
- agent/weakness
- agent/severity
- agent/author
- agent/tags
- agent/event
- agent/description
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- vendor/gitlab
- canonical/gitlab gitlab
- version/gitlab gitlab/8.15
- version/gitlab gitlab/16.3.0
- version/gitlab gitlab/16.4.0