CVE-2023-3920

MEDIUM

GitLab 11.2-16.2.7, 16.3-16.3.4, 16.4 - Incorrect Authorization

Title source: llm
STIX 2.1

Description

An issue has been discovered in GitLab affecting all versions starting from 11.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that a maintainer to create a fork relationship between existing projects contrary to the documentation.

References (2)

Core 2
Core References
Issue Tracking, Vendor Advisory issue-tracking permissions-required
https://gitlab.com/gitlab-org/gitlab/-/issues/417481
Permissions Required technical-description exploit permissions-required
https://hackerone.com/reports/2058121

Scores

CVSS v3 4.3
EPSS 0.0032
EPSS Percentile 55.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-863
Status published
Products (5)
gitlab/gitlab 16.4.0 (2 CPE variants)
gitlab/gitlab 11.2 - 16.2.8 (2 CPE variants)
GitLab/GitLab 11.2 - 16.2.8
GitLab/GitLab 16.3 - 16.3.5
GitLab/GitLab 16.4 - 16.4.1
Published Sep 29, 2023
Tracked Since Feb 18, 2026