CVE-2023-5226: 
GitLab vulnerability analysis and mitigation

A security vulnerability (CVE-2023-5226) was discovered in GitLab affecting all versions before 16.4.3, versions from 16.5 before 16.5.3, and versions from 16.6 before 16.6.1. The vulnerability was reported on September 20, 2023, and allows malicious actors to bypass prohibited branch checks using specially crafted branch names to manipulate repository content in the UI (NVD, CVE).

The vulnerability is classified as CWE-94 (Improper Control of Generation of Code) and received a CVSS v3.1 base score of 7.5 (HIGH) from NIST and 4.8 (MEDIUM) from GitLab Inc. The CVSS vector string from NIST is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, indicating network accessibility, low attack complexity, no privileges required, and high impact on integrity (NVD).

The vulnerability allows attackers to create a discrepancy between the repository content displayed in the UI and the actual cloned repository content. This means users could see safe content in the web interface while the repository actually contains malicious code (GitLab Issue).

The vulnerability has been fixed in GitLab versions 16.4.3, 16.5.3, and 16.6.1. Users are advised to upgrade to these or later versions to protect against this security issue (NVD).