CVE-2023-2576: 
GitLab vulnerability analysis and mitigation

A vulnerability (CVE-2023-2576) was discovered in GitLab CE/EE affecting all versions starting from 13.7 before 15.11.10, all versions starting from 16.0 before 16.0.6, and all versions starting from 16.1 before 16.1.1. The vulnerability allows developers to bypass Code Owners branch protection rules, potentially compromising repository security (GitLab Security Release).

The vulnerability exploits Git's ambiguous reference name handling mechanism. By creating a tag with the same name as a protected branch, an attacker could circumvent Code Owners approval requirements. This occurs because a CODEOWNERS file inside a tag reference takes precedence over the one in the branch when both tag and branch share the same name. The vulnerability has been assigned a CVSS v3.1 score of 4.3 (Medium severity), with the vector string AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N (GitLab Security Release).

The vulnerability allows developers to bypass Code Owners approval requirements and merge unauthorized changes into protected branches. This could potentially compromise source code integrity, enable execution of malicious code on affected systems, facilitate the theft of GitLab CI secrets, or enable supply chain attacks. Notably, the attack can be executed without requiring any interaction from repository maintainers (GitLab Issue).

The vulnerability has been patched in GitLab versions 15.11.10, 16.0.6, and 16.1.1. Organizations are strongly recommended to upgrade their GitLab installations to one of these versions immediately. GitLab.com has already been updated with the patched version (GitLab Security Release).

The vulnerability was responsibly disclosed through GitLab's HackerOne bug bounty program by researcher 'inspector-ambitious'. GitLab has classified this as a medium severity issue and addressed it promptly in their security release (GitLab Security Release).