CVE-2023-6680

HIGH

Gitlab < 16.4.4 - Improper Certificate Validation

Title source: rule

Description

An improper certificate validation issue in Smartcard authentication in GitLab EE affecting all versions from 11.6 prior to 16.4.4, 16.5 prior to 16.5.4, and 16.6 prior to 16.6.2 allows an attacker to authenticate as another user given their public key if they use Smartcard authentication. Smartcard authentication is an experimental feature and has to be manually enabled by an administrator.

References (1)

[Broken Link] https://gitlab.com/gitlab-org/gitlab/-/issues/421607

Scores

CVSS v3 7.4

EPSS 0.0003

EPSS Percentile 6.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Classification

CWE

CWE-295

Status published

Affected Products (1)

gitlab/gitlab < 16.4.4

Timeline

Published Dec 15, 2023

Tracked Since Feb 18, 2026