CVE-2023-2022Not Using Password Aging in Gitlab

CWE-262Not Using Password AgingCWE-284Improper Access ControlCWE-476NULL Pointer Dereference51 documents22 sources
Severity
4.3MEDIUMNVD
OSV8.8OSV7.8OSV7.5OSV6.5OSV5.5
EPSS
0.1%
top 69.70%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
25
GitlabGiflib Project GiflibRarlab RAR+22 more
Timeline
PublishedAug 2
Latest updateDec 9

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2, which leads to developers being able to create pipeline schedules on protected branches even if they don't have access to merge

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages27 packages

CVEListV5gitlab/gitlab16.1.016.1.3+1
NVDgitlab/gitlab16.116.1.3+2
debiandebian/gitlab< gitlab 16.0.8+ds1-1 (sid)
gitlabgitlab/gitlab

🔴Vulnerability Details

10
OSV
fdkaac vulnerabilities2025-07-22
OSV
rar vulnerabilities2025-03-12
OSV
symfony vulnerabilities2025-02-18
OSV
linux-aws, linux-kvm vulnerabilities2025-01-06
OSV
giflib vulnerabilities2024-06-10

📋Vendor Advisories

14
Red Hat
kernel: hfs: fix missing hfs_bnode_get() in __hfs_bnode_create2025-12-09
Red Hat
kernel: drm/i915/sseu: fix max_subslices array-index-out-of-bounds access2025-05-02
Oracle
Oracle Oracle Communications Risk Matrix: Internal Tools (Zstandard) — CVE-2022-48992023-10-15
Citrix
Citrix Hypervisor Multiple Security Updates2023-10-10
GitLab
CVE-2023-2022: An issue has been discovered in GitLab CE/EE affecting all versions starting before 16.0.8, all versions starting from 16.1 before 16.1.3, all version2023-08-02

🕵️Threat Intelligence

3
Trendmicro
Trend is a Launch Partner for Amazon Security Lake2023-06-02
Qualys
CVE-2023-25136: Pre-Auth Double Free Vulnerability in OpenSSH Server 9.1 | Qualys2023-02-03
Unit42
Security Issue in JWT Secret Poisoning (Updated)2023-01-09