CVE-2023-0485

MEDIUM

Gitlab < 15.8.5 - Exposure to Wrong Actor

Title source: rule

Description

An issue has been discovered in GitLab affecting all versions starting from 13.11 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible that a project member demoted to a user role to read project updates by doing a diff with a pre-existing fork.

References (3)

[Third Party Advisory] https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-0485.json

View Writeup ZIP pw:eip

[Broken Link] https://gitlab.com/gitlab-org/gitlab/-/issues/389191

[Permissions Required] https://hackerone.com/reports/1837937

Scores

CVSS v3 6.5

EPSS 0.0042

EPSS Percentile 61.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-668

Status published

Products (1)

gitlab/gitlab 13.11 - 15.8.5

Published May 03, 2023

Tracked Since Feb 18, 2026