CVE-2023-5198

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-5198

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-5198.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-5198

Aliases

BIT-gitlab-2023-5198

Downstream

UBUNTU-CVE-2023-5198

Published

2023-09-29T07:01:42.219Z

Modified

2026-04-10T05:06:24.107645Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Incorrect Authorization in GitLab

Details

An issue has been discovered in GitLab affecting all versions prior to 16.2.7, all versions starting from 16.3 before 16.3.5, and all versions starting from 16.4 before 16.4.1. It was possible for a removed project member to write to protected branches using deploy keys.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/5xxx/CVE-2023-5198.json",
    "cna_assigner": "GitLab",
    "cwe_ids": [
        "CWE-863"
    ]
}

References

Affected packages

Git / gitlab.com/gitlab-org/gitlab

Affected ranges

Type

GIT

Repo

https://gitlab.com/gitlab-org/gitlab

Events

Introduced

Last affected

e220da8eb242957d041d58f279ebbf21665915b1

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "16.2.7"
        }
    ]
}

Type

GIT

Repo

https://gitlab.com/gitlab-org/gitlab

Events

Introduced

3dfd4e0bcc7eae4330e7fed87ec74bee9a8bdf2d

Fixed

40d6bde8c59f78957b08b3a7cd9622a97b7af981

Database specific

{
    "versions": [
        {
            "introduced": "16.3"
        },
        {
            "fixed": "16.3.5"
        }
    ]
}

Type

GIT

Repo

https://gitlab.com/gitlab-org/gitlab

Events

Introduced

e4c1c182610739c1b1d10a8eacbea1f5aa837ad6

Fixed

229bc5f59850b16213b035138ad76f65b6724864

Database specific

{
    "versions": [
        {
            "introduced": "16.4"
        },
        {
            "fixed": "16.4.1"
        }
    ]
}

Affected versions

Other

11-10-0cfa69752d8-0d9531c80-ee

11-10-0cfa69752d8-74ffd66ae-ee

11-10-119f9509d50-6d7537235-ee

v1.*

v1.2.0

v1.2.0pre

v1.2.1

v1.2.2

v16.*

v16.2.0-ee

v16.2.0-rc42-ee

v16.2.0-rc43-ee

v16.2.0-rc44-ee

v16.2.0-rc45-ee

v16.2.1-ee

v16.2.3-ee

v16.2.4-ee

v16.2.6-ee

v16.2.7-ee

v16.3.0-ee

v16.3.2-ee

v16.3.3-ee

v16.4.0-ee

v2.*

v2.3.0

v2.3.0pre

v2.3.1

v2.4.0

v2.4.0pre

v2.4.1

v2.5.0

v2.6.0

v2.6.0pre

v2.6.1

v2.6.2

v2.6.3

v2.7.0

v2.7.0pre

v2.8.0

v2.8.0pre

v2.8.1

v2.8.2

v2.9.0

v2.9.1

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.0.3

v3.1.0

v4.*

v4.0.0

v4.0.0rc1

v4.0.0rc2

v5.*

v5.0.0

v5.1.0

v5.2.0

v6.*

v6.0.0-ee

v6.0.0-ee.beta

v6.0.0-ee.rc1

v6.1.0-ee

v6.3.0-ee

v6.3.1-ee

v6.4.0-ee

v6.5.0-ee

v6.6.0-ee

v6.7.0-ee

v6.7.0.rc1-ee

v6.8.0-ee

v7.*

v7.0.0-ee

v7.1.0-ee

v7.1.0.rc1-ee

v7.2.0.rc1-ee

v7.2.0.rc2-ee

v7.2.0.rc3-ee

v7.2.0.rc4-ee

v7.2.0.rc5-ee

v7.3.0-ee

v7.3.0.rc1-ee

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-5198.json"