CVE-2023-6840

MEDIUM

Gitlab < 16.6.7 - Missing Authorization

Title source: rule

Description

An issue has been discovered in GitLab EE affecting all versions from 16.4 prior to 16.6.7, 16.7 prior to 16.7.5, and 16.8 prior to 16.8.2 which allows a maintainer to change the name of a protected branch that bypasses the security policy added to block MR.

References (2)

[Issue Tracking, Permissions Required] https://gitlab.com/gitlab-org/gitlab/-/issues/435500

[Permissions Required, Technical Description] https://hackerone.com/reports/2280292

Scores

CVSS v3 6.7

EPSS 0.0001

EPSS Percentile 0.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H

Classification

CWE

CWE-862

Status published

Affected Products (1)

gitlab/gitlab < 16.6.7

Timeline

Published Feb 07, 2024

Tracked Since Feb 18, 2026