CVE-2023-0485

MEDIUM

Gitlab < 15.8.5 - Exposure to Wrong Actor

Title source: rule

Description

An issue has been discovered in GitLab affecting all versions starting from 13.11 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible that a project member demoted to a user role to read project updates by doing a diff with a pre-existing fork.

References (3)

[Third Party Advisory] https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-0485.json

View Writeup ZIP pw:eip

[Broken Link] https://gitlab.com/gitlab-org/gitlab/-/issues/389191

[Permissions Required] https://hackerone.com/reports/1837937

Scores

CVSS v3 6.5

EPSS 0.0031

EPSS Percentile 54.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-668

Status published

Affected Products (1)

gitlab/gitlab < 15.8.5

Timeline

Published May 03, 2023

Tracked Since Feb 18, 2026