CVE-2023-6955

MEDIUM

GitLab < 16.5.6, 16.6 < 16.6.4, 16.7 < 16.7.2 - Missing Authorization in Remote Development Workspace Creation

Title source: llm
STIX 2.1

Description

A missing authorization check vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. This condition allows an attacker to create a workspace in one group that is associated with an agent from another group.

References (1)

Core 1
Core References
Issue Tracking, Vendor Advisory issue-tracking permissions-required
https://gitlab.com/gitlab-org/gitlab/-/issues/432188

Scores

CVSS v3 6.6
EPSS 0.0007
EPSS Percentile 20.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (6)
gitlab/gitlab 16.7.0 (2 CPE variants)
gitlab/gitlab 16.7.1 (2 CPE variants)
gitlab/gitlab < 16.5.6 (2 CPE variants)
GitLab/GitLab < 16.5.6
GitLab/GitLab 16.6 - 16.6.4
GitLab/GitLab 16.7 - 16.7.2
Published Jan 12, 2024
Tracked Since Feb 18, 2026