CVE-2023-3915

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-3915
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-3915.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-3915
Aliases
Published
2023-09-01T11:15:42Z
Modified
2025-07-29T11:09:06.419248Z
Severity
  • 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

An issue has been discovered in GitLab EE affecting all versions starting from 16.1 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. If an external user is given an owner role on any group, that external user may escalate their privileges on the instance by creating a service account in that group. This service account is not classified as external and may be used to access internal projects.

References

Affected packages

Git / gitlab.com/gitlab-org/gitlab

Affected ranges

Type
GIT
Repo
https://gitlab.com/gitlab-org/gitlab
Events
Introduced
4961ad113f3afe23965ac12285eaab31315ab0c6
Fixed
075efefa5f88454cb1afda1f0270e91edcb55ed3

Affected versions

v16.*

v16.1.0-ee
v16.1.1-ee
v16.1.2-ee
v16.1.3-ee
v16.1.4-ee