CVE-2023-6477: 
GitLab vulnerability analysis and mitigation

A privilege escalation vulnerability was discovered in GitLab Enterprise Edition (EE) affecting versions from 16.5 before 16.7.6, 16.8 before 16.8.3, and 16.9 before 16.9.1. The vulnerability, identified as CVE-2023-6477, allows users with custom roles having admin_group_member permission to potentially escalate their privileges to group Owner level (GitLab Security).

The vulnerability stems from an authorization issue where users assigned a custom role with admin_group_member permission could manipulate group membership settings to make themselves or other members Owners of that group. The issue has been assigned a CVSS score of 6.7 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L (GitLab Security).

When exploited, this vulnerability allows attackers with admin_group_member permission to elevate their privileges or grant Owner access to other members within the group, potentially leading to unauthorized access to sensitive group resources and settings (GitLab Security).

GitLab has addressed this vulnerability in versions 16.9.1, 16.8.3, and 16.7.6. Organizations are strongly recommended to upgrade their GitLab installations to one of these patched versions immediately. GitLab.com has already been updated with the security fix (GitLab Security).