Home

Description

An authorization vulnerability exists in GitLab versions 14.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. An unauthorized attacker is able to assign arbitrary users to MRs that they created within the project

PUBLISHED Reserved 2024-01-12 | Published 2024-01-26 | Updated 2026-06-05 | Assigner GitLab




MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-425: Direct Request ('Forced Browsing')

Product status

Default status
unaffected

14.0 (semver) before 16.6.6
affected

16.7 (semver) before 16.7.4
affected

16.8 (semver) before 16.8.1
affected

Credits

Thanks to [Niklas](https://gitlab.com/Taucher2003) for reporting this vulnerability finder

References

about.gitlab.com/...security-release-gitlab-16-8-1-released/

gitlab.com/gitlab-org/gitlab/-/issues/430726 (GitLab Issue #430726) issue-tracking

about.gitlab.com/...security-release-gitlab-16-8-1-released/

gitlab.com/gitlab-org/gitlab/-/issues/430726 (GitLab Issue #430726) issue-tracking

cve.org (CVE-2024-0456)

nvd.nist.gov (CVE-2024-0456)

Download JSON