CVE-2023-3509

Name of the Vulnerable Software and Affected Versions GitLab versions prior to 16.7.6 GitLab versions 16.8 through 16.8.2 GitLab versions 16.9 through 16.9.0

Description An issue has been discovered in GitLab that allows group members with a sub-maintainer role to change the title of privately accessible deploy keys associated with projects in the group. This issue is related to inadequate management of SSH keys during deployment script automation. Exploitation of this issue may allow a remote attacker to modify the title of private deploy keys.

Recommendations For GitLab versions prior to 16.7.6, update to version 16.7.6 or later. For GitLab versions 16.8 through 16.8.2, update to version 16.8.3 or later. For GitLab versions 16.9 through 16.9.0, update to version 16.9.1 or later. As a temporary workaround, consider restricting the sub-maintainer role's access to deploy keys until a patch is available.