CVE-2023-2001

MEDIUM

GitLab < 15.10.8, 15.11 < 15.11.7, 16.0 < 16.0.2 - Authentication Bypass by Spoofing via Protected Tag

Title source: llm

Description

An issue has been discovered in GitLab CE/EE affecting all versions before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. An attacker was able to spoof protected tags, which could potentially lead a victim to download malicious code.

References (3)

Core 3

Core References

Vendor Advisory

https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2001.json

Broken Link

https://gitlab.com/gitlab-org/gitlab/-/issues/406764

Permissions Required, Third Party Advisory

https://hackerone.com/reports/1908423

Scores

CVSS v3 4.3

EPSS 0.0044

EPSS Percentile 63.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-290

Status published

Products (1)

gitlab/gitlab < 15.10.8 (2 CPE variants)

Published Jun 07, 2023

Tracked Since Feb 18, 2026