CVE-2023-4812

Name of the Vulnerable Software and Affected Versions GitLab EE versions 15.3 through 16.5.6 GitLab EE versions 16.6 through 16.6.4 GitLab EE versions 16.7 through 16.7.2

Description The issue is related to insufficient access control to the CODEOWNERS file in GitLab EE, allowing a remote attacker to bypass required approvals by adding changes to a previously approved merge request. This could potentially lead to unauthorized access, modification, or deletion of data.

Recommendations For versions 15.3 through 16.5.6, update to version 16.5.6 or later to resolve the issue. For versions 16.6 through 16.6.4, update to version 16.6.4 or later to resolve the issue. For versions 16.7 through 16.7.2, update to version 16.7.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the CODEOWNERS file to minimize the risk of exploitation.