CVE-2023-3915

Name of the Vulnerable Software and Affected Versions GitLab EE versions 16.1 through 16.1.4 GitLab EE versions 16.2 through 16.2.4 GitLab EE versions 16.3 through 16.3.0

Description An issue has been discovered in GitLab EE where an external user with an owner role on any group can escalate their privileges on the instance. This can be done by creating a service account in that group, which is not classified as external and can be used to access internal projects.

Recommendations For versions 16.1 through 16.1.4, update to version 16.1.5 or later. For versions 16.2 through 16.2.4, update to version 16.2.5 or later. For versions 16.3 through 16.3.0, update to version 16.3.1 or later. As a temporary workaround, consider restricting the ability to create service accounts in groups where external users have an owner role.