Assigner | GitLab |
Reserved | 2023-08-13 |
Published | 2023-12-01 |
Updated | 2024-07-25 |
Description
An issue has been discovered in GitLab affecting all versions starting from 9.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for a user with the Developer role to update a pipeline schedule from an unprotected branch to a protected branch.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Problem types
CWE-284: Improper Access Control
Product status
9.2 before 16.4.3
16.5 before 16.5.3
16.6 before 16.6.1
Credits
Thanks [js_noob](https://hackerone.com/js_noob) for reporting this vulnerability through our HackerOne bug bounty program
References
https://gitlab.com/gitlab-org/gitlab/-/issues/421846 (GitLab Issue #421846)
https://hackerone.com/reports/2089517 (HackerOne Bug Bounty Report #2089517)