CVE-2023-2022: 
GitLab vulnerability analysis and mitigation

A security vulnerability was discovered in GitLab CE/EE affecting all versions before 16.0.8 and versions from 16.1 before 16.1.3. The issue allows developers to create pipeline schedules on protected branches even when they don't have merge access permissions (NVD, GitLab Issue).

The vulnerability stems from an authorization bypass in the Projects::PipelineSchedulesController. The controller uses the project as the subject for authorizecreatepipelineschedule!, but ProjectPolicy doesn't properly check the ref for permission :createpipeline_schedule. This allows developers to bypass branch protection rules and create pipeline schedules on branches they shouldn't have access to (GitLab Issue).

The vulnerability allows developers with no merge access to create pipeline schedules on protected branches, effectively bypassing the intended security controls. This undermines the branch protection mechanisms that are meant to restrict pipeline execution permissions on sensitive branches (GitLab Issue).

The issue was addressed in GitLab versions 16.0.8 and 16.1.3. Organizations should upgrade to these or newer versions to protect against this vulnerability. The fix involves modifying the Projects::PipelineSchedulesController to implement proper authorization checks for pipeline schedules and updating the Ci::PipelineSchedulePolicy to correctly handle protected branch permissions (GitLab Issue).