Severity
Medium
Analysis Summary
CVE-2023-2030 CVSS:3.5
GitLab Community Edition and Enterprise Edition could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw in commit signature validation. By sending a specially crafted request, an attacker could exploit this vulnerability to modify the metadata of signed commits.
CVE-2023-6955 CVSS:6.6
GitLab Community Edition and Enterprise Edition could allow a remote authenticated attacker to bypass security restrictions, caused by an improper access control vulnerability. By sending a specially crafted request, an attacker could exploit this vulnerability to create a workspace in one group that is associated with an agent from another group.
CVE-2023-4812 CVSS:7.6
GitLab Community Edition and Enterprise Edition could allow a remote authenticated attacker to bypass security restrictions. By adding changes to a previously approved merge request, an attacker could exploit this vulnerability to bypass CODEOWNERS approval removal.
CVE-2023-5356 CVSS:9.6
GitLab Community Edition and Enterprise Edition could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by incorrect authorization check. By sending a specially crafted request, an attacker could exploit this vulnerability to execute slash commands as another user.
Impact
- Security Bypass
- Gain Access
Indicators Of Compromise
CVE
- CVE-2023-2030
- CVE-2023-6955
- CVE-2023-4812
- CVE-2023-5356
Affected Vendors
GitLab
Affected Products
- GitLab 16.5.5 Community Edition
- GitLab 16.6.3 Community Edition
- GitLab 16.7.1 Community Edition
- GitLab 16.5.5 Enterprise Edition
- GitLab 16.6.3 Enterprise Edition
- GitLab 16.7.1 Enterprise Edition
Remediation
Upgrade to the latest version of GitLab Community Edition and Enterprise Edition, available from the GitLab Website.