CVE-2023-6477

MEDIUM

GitLab EE <16.7.6-16.8.3-16.9.1 - Privilege Escalation

Title source: llm

Description

An issue has been discovered in GitLab EE affecting all versions starting from 16.5 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. When a user is assigned a custom role with admin_group_member permission, they may be able to make a group, other members or themselves Owners of that group, which may lead to privilege escalation.

References (2)

[Permissions Required] https://gitlab.com/gitlab-org/gitlab/-/issues/433463

[Permissions Required] https://hackerone.com/reports/2270898

Scores

CVSS v3 6.7

EPSS 0.0001

EPSS Percentile 1.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

Classification

CWE

CWE-266

Status published

Affected Products (2)

gitlab/gitlab < 16.7.6

gitlab/gitlab

Timeline

Published Feb 22, 2024

Tracked Since Feb 18, 2026