Insufficient Warning on Merge Rights for Protected Branches

CVE-2023-3441

6.6MEDIUM

Key Information

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 1 October 2024

Summary

An issue has been discovered in GitLab EE/CE affecting all versions starting from 8.0 before 16.4. The product did not sufficiently warn about security implications of granting merge rights to protected branches.

Affected Version(s)

GitLab < 16.4

CVSS V3.1

Score:

6.6

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published.
Oct 1, 2024
Vulnerability Reserved.
Jun 28, 2023

Collectors

NVD DatabaseMitre Database

Credit

Thanks [samuellg](https://hackerone.com/samuellg) for reporting this vulnerability through our HackerOne bug bounty program