CVE-2023-5226

An issue has been discovered in GitLab affecting all versions before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. Under certain circumstances, a malicious actor bypass prohibited branch checks using a specially crafted branch name to manipulate repository content in the UI.
References
Link Resource
https://gitlab.com/gitlab-org/gitlab/-/issues/426400 Broken Link Vendor Advisory
https://hackerone.com/reports/2173053 Permissions Required Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:16.6.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:16.6.0:*:*:*:enterprise:*:*:*

History

06 Dec 2023, 18:57

Type Values Removed Values Added
References () https://gitlab.com/gitlab-org/gitlab/-/issues/426400 - () https://gitlab.com/gitlab-org/gitlab/-/issues/426400 - Broken Link, Vendor Advisory
References () https://hackerone.com/reports/2173053 - () https://hackerone.com/reports/2173053 - Permissions Required, Third Party Advisory
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
CWE NVD-CWE-noinfo
CPE cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:16.6.0:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:16.6.0:*:*:*:community:*:*:*
First Time Gitlab
Gitlab gitlab

01 Dec 2023, 07:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-12-01 07:15

Updated : 2024-02-28 20:54


NVD link : CVE-2023-5226

Mitre link : CVE-2023-5226

CVE.ORG link : CVE-2023-5226


JSON object : View

Products Affected

gitlab

  • gitlab
CWE
NVD-CWE-noinfo CWE-94

Improper Control of Generation of Code ('Code Injection')