CVE-2023-6564 MEDIUM

CVE-2023-6564: Incorrect Authorization in GitLab

Vendor Gitlab
Product GitLab
Weakness CWE-863 · Incorrect authorization
Published February 8, 2024
Last update October 3, 2024
View on NVD All CVEs

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

An issue has been discovered in GitLab EE Premium and Ultimate affecting versions 16.4.3, 16.5.3, and 16.6.1. In projects using subgroups to define who can push and/or merge to protected branches, there may have been instances in which subgroup members with the Developer role were able to push or merge to protected branches.

Key dates

02Disclosure timeline

February 8, 2024 CVE published
October 3, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-40914 Apache Artemis Stomp Protocol, Apache ActiveMQ Artemis Stomp Protocol: Address routing-type can be updated by STOMP protocol user without the createAddress permission CVE-2025-24526 Channel export permitted on archived channel when viewing archived channels is disabled CVE-2025-30155 Tuleap does not enforce read permissions on parent trackers in the REST API CVE-2025-58134 Zoom Workplace Clients for Windows - Incorrect Authorization CVE-2025-62275