CVE-2023-5226

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-5226

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-5226.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-5226

Aliases

BIT-gitlab-2023-5226

Downstream

UBUNTU-CVE-2023-5226

Published

2023-12-01T07:01:43.131Z

Modified

2026-04-10T05:06:30.333333Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N CVSS Calculator

Summary

Improper Control of Generation of Code ('Code Injection') in GitLab

Details

An issue has been discovered in GitLab affecting all versions before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. Under certain circumstances, a malicious actor bypass prohibited branch checks using a specially crafted branch name to manipulate repository content in the UI.

Database specific

{
    "cna_assigner": "GitLab",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/5xxx/CVE-2023-5226.json",
    "cwe_ids": [
        "CWE-94"
    ]
}

References

Affected packages

Git / gitlab.com/gitlab-org/gitlab

Affected ranges

Type

GIT

Repo

https://gitlab.com/gitlab-org/gitlab

Events

Introduced

Fixed

7de773390b4ddc765d102467a62e607aa9cfe1aa

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "16.4.3"
        }
    ]
}

Type

GIT

Repo

https://gitlab.com/gitlab-org/gitlab

Events

Introduced

fc87c9d4cca1536abcf902b4128f5c2004d87162

Fixed

8583797ef98a5141565e83105e55b0b124e60aaa

Database specific

{
    "versions": [
        {
            "introduced": "16.5"
        },
        {
            "fixed": "16.5.3"
        }
    ]
}

Type

GIT

Repo

https://gitlab.com/gitlab-org/gitlab

Events

Introduced

94991886af3e3820aa09fa353b29cf8557c93168

Fixed

9aa991a5ee9f61bd890d5c9cbf57c665ff115e70

Database specific

{
    "versions": [
        {
            "introduced": "16.6"
        },
        {
            "fixed": "16.6.1"
        }
    ]
}

Affected versions

Other

11-10-0cfa69752d8-0d9531c80-ee

11-10-0cfa69752d8-74ffd66ae-ee

11-10-119f9509d50-6d7537235-ee

v1.*

v1.2.0

v1.2.0pre

v1.2.1

v1.2.2

v16.*

v16.4.0-ee

v16.4.0-rc42-ee

v16.4.0-rc43-ee

v16.5.0-ee

v16.5.2-ee

v16.6.0-ee

v2.*

v2.3.0

v2.3.0pre

v2.3.1

v2.4.0

v2.4.0pre

v2.4.1

v2.5.0

v2.6.0

v2.6.0pre

v2.6.1

v2.6.2

v2.6.3

v2.7.0

v2.7.0pre

v2.8.0

v2.8.0pre

v2.8.1

v2.8.2

v2.9.0

v2.9.1

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.0.3

v3.1.0

v4.*

v4.0.0

v4.0.0rc1

v4.0.0rc2

v5.*

v5.0.0

v5.1.0

v5.2.0

v6.*

v6.0.0-ee

v6.0.0-ee.beta

v6.0.0-ee.rc1

v6.1.0-ee

v6.3.0-ee

v6.3.1-ee

v6.4.0-ee

v6.5.0-ee

v6.6.0-ee

v6.7.0-ee

v6.7.0.rc1-ee

v6.8.0-ee

v7.*

v7.0.0-ee

v7.1.0-ee

v7.1.0.rc1-ee

v7.2.0.rc1-ee

v7.2.0.rc2-ee

v7.2.0.rc3-ee

v7.2.0.rc4-ee

v7.2.0.rc5-ee

v7.3.0-ee

v7.3.0.rc1-ee

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-5226.json"