Description
An issue has been discovered in GitLab affecting all versions before 15.9.8, 15.10.0 before 15.10.7, and 15.11.0 before 15.11.3. A malicious developer could use a git feature called refs/replace to smuggle content into a merge request which would not be visible during review in the UI.
References (3)
Core 3
Core References
Third Party Advisory
https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2181.json
Permissions Required
https://hackerone.com/reports/1938185
Scores
CVSS v3
6.3
EPSS
0.0187
EPSS Percentile
83.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
Status
published
Products (1)
gitlab/gitlab
< 15.9.8
Published
May 12, 2023
Tracked Since
Feb 18, 2026