CVE-2023-6477 — Incorrect Privilege Assignment in Gitlab

CWE-266 — Incorrect Privilege Assignment CWE-269 — Improper Privilege Management5 documents5 sources

Severity

6.7MEDIUMNVD

EPSS

0.0%

top 98.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab EE

Timeline

PublishedFeb 22

Description

An issue has been discovered in GitLab EE affecting all versions starting from 16.5 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. When a user is assigned a custom role with admin_group_member permission, they may be able to make a group, other members or themselves Owners of that group, which may lead to privilege escalation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:LExploitability: 1.2 | Impact: 5.5

Affected Packages5 packages

▶CVEListV5gitlab/gitlab16.5 — 16.7.6+2

▶NVDgitlab/gitlab16.5.0 — 16.7.6+2

▶debiandebian/gitlab

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ee

🔴Vulnerability Details

GHSA

GHSA-x645-349v-xwm6: An issue has been discovered in GitLab EE affecting all versions starting from 16↗2024-02-22

▶

OSV

CVE-2023-6477: An issue has been discovered in GitLab EE affecting all versions starting from 16↗2024-02-22

▶

📋Vendor Advisories

GitLab

CVE-2023-6477: An issue has been discovered in GitLab EE affecting all versions starting from 16.5 before 16.7.6, all versions starting from 16.8 before 16.8.3, all↗2024-02-22

▶

Debian

CVE-2023-6477: gitlab - An issue has been discovered in GitLab EE affecting all versions starting from 1...↗2023

▶