CVE-2023-6840

MEDIUM

GitLab 16.4-16.6.6, 16.7-16.7.4, 16.8-16.8.1 - Authenticated Protected Branch Rename Bypass

Title source: llm
STIX 2.1

Description

An issue has been discovered in GitLab EE affecting all versions from 16.4 prior to 16.6.7, 16.7 prior to 16.7.5, and 16.8 prior to 16.8.2 which allows a maintainer to change the name of a protected branch that bypasses the security policy added to block MR.

References (2)

Core 2
Core References
Issue Tracking, Permissions Required issue-tracking permissions-required
https://gitlab.com/gitlab-org/gitlab/-/issues/435500
Permissions Required, Technical Description technical-description exploit permissions-required
https://hackerone.com/reports/2280292

Scores

CVSS v3 6.7
EPSS 0.0001
EPSS Percentile 0.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (4)
GitLab/GitLab 16.4 - 16.6.7
gitlab/gitlab 16.4.0 - 16.6.7
GitLab/GitLab 16.7 - 16.7.5
GitLab/GitLab 16.8 - 16.8.2
Published Feb 07, 2024
Tracked Since Feb 18, 2026