CVE-2023-6564

Name of the Vulnerable Software and Affected Versions GitLab EE Premium and Ultimate versions 16.4.3 through 16.6.1

Description The issue is related to inadequate access control in GitLab, allowing subgroup members with the Developer role to potentially push or merge to protected branches in projects that use subgroups to define access permissions. This could enable a remote attacker to gain read and modify access to data.

Recommendations For versions 16.4.3, 16.5.3, and 16.6.1, consider restricting the Developer role in subgroups to prevent unauthorized access to protected branches until a fix is available. As a temporary workaround, review and adjust subgroup permissions to ensure that only intended members have push and merge access to protected branches. Restrict access to sensitive data and projects to minimize the risk of exploitation.