Description
An issue has been discovered in GitLab EE affecting all versions affecting all versions from 11.11 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. Single Sign On restrictions were not correctly enforced for indirect project members accessing public members-only project repositories.
References (2)
Core 2
Core References
Broken Link issue-tracking
https://gitlab.com/gitlab-org/gitlab/-/issues/414367
Permissions Required technical-description
exploit
permissions-required
https://hackerone.com/reports/2004158
Scores
CVSS v3
5.4
EPSS
0.0004
EPSS Percentile
11.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-286
Status
published
Products (2)
gitlab/gitlab
16.4.0 (2 CPE variants)
gitlab/gitlab
11.11 - 16.2.8 (2 CPE variants)
Published
Sep 29, 2023
Tracked Since
Feb 18, 2026