CVE-2023-6477

Name of the Vulnerable Software and Affected Versions GitLab EE versions 16.5 through 16.7.5 GitLab EE versions 16.8 through 16.8.2 GitLab EE versions 16.9 through 16.9.0

Description An issue has been discovered in GitLab EE related to insufficient access control. When a user is assigned a custom role with admin group member permission, they may be able to make a group, other members, or themselves Owners of that group, which may lead to privilege escalation. This issue may allow a remote attacker to elevate their privileges.

Recommendations For GitLab EE versions 16.5 through 16.7.5, update to version 16.7.6 or later. For GitLab EE versions 16.8 through 16.8.2, update to version 16.8.3 or later. For GitLab EE versions 16.9 through 16.9.0, update to version 16.9.1 or later. As a temporary workaround, consider restricting the use of custom roles with admin group member permission until a patch is available.