CVE-2023-6564

Summary

An issue has been discovered in GitLab EE Premium and Ultimate affecting versions 16.4.3, 16.5.3, and 16.6.1. In projects using subgroups to define who can push and/or merge to protected branches, there may have been instances in which subgroup members with the Developer role were able to push or merge to protected branches.

Affected Software

VendorProductVersion RangeStatus
GitLabGitLab16.4.3 < 16.4.4affected
GitLabGitLab16.5.3 < 16.5.4affected
GitLabGitLab16.6.1 < 16.6.2affected

Weaknesses

  • CWE-863: CWE-863: Incorrect Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References