CVE-2023-6477
Last modified
CVE-2023-6477 is a medium-severity vulnerability rated 6.7/10 on the CVSS scale. An issue has been discovered in GitLab EE affecting all versions starting from 16.5 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. When a user is assigned a custom role with admin_group_member permission, they may be able to make a group, other members or themselves Owners of that group, which may lead to privilege escalation.. EPSS estimates a 0.53% chance of exploitation in the next 30 days.
Description
An issue has been discovered in GitLab EE affecting all versions starting from 16.5 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. When a user is assigned a custom role with admin_group_member permission, they may be able to make a group, other members or themselves Owners of that group, which may lead to privilege escalation.
Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Gitlab | Gitlab | >= 16.5.0, < 16.7.6 |
| Gitlab | Gitlab | >= 16.8.0, <= 16.8.3 |
| Gitlab | Gitlab | 16.9.0 |
References
- https://gitlab.com/gitlab-org/gitlab/-/issues/433463Permissions Required
- https://hackerone.com/reports/2270898Permissions Required
- https://gitlab.com/gitlab-org/gitlab/-/issues/433463Permissions Required
- https://hackerone.com/reports/2270898Permissions Required
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2023-6477?
How severe is CVE-2023-6477?
How do I fix CVE-2023-6477?
Are you affected by CVE-2023-6477?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST