CVE-2023-3907

MEDIUM

GitLab 16.0-16.4.3, 16.5-16.5.3, 16.6-16.6.1 - Privilege Escalation via Project Access Token

Title source: llm
STIX 2.1

Description

A privilege escalation vulnerability in GitLab EE affecting all versions from 16.0 prior to 16.4.4, 16.5 prior to 16.5.4, and 16.6 prior to 16.6.2 allows a project Maintainer to use a Project Access Token to escalate their role to Owner

References (2)

Core 2
Core References
Issue Tracking, Vendor Advisory issue-tracking permissions-required
https://gitlab.com/gitlab-org/gitlab/-/issues/418878
Permissions Required technical-description exploit permissions-required
https://hackerone.com/reports/2058934

Scores

CVSS v3 4.9
EPSS 0.0003
EPSS Percentile 7.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-286
Status published
Products (4)
GitLab/GitLab 16.0 - 16.4.4
gitlab/gitlab 16.0.0 - 16.4.4
GitLab/GitLab 16.5 - 16.5.4
GitLab/GitLab 16.6 - 16.6.2
Published Dec 17, 2023
Tracked Since Feb 18, 2026