CVE-2023-6564: 
GitLab vulnerability analysis and mitigation

An issue has been discovered in GitLab EE Premium and Ultimate affecting versions 16.4.3, 16.5.3, and 16.6.1. In projects using subgroups to define who can push and/or merge to protected branches, there may have been instances in which subgroup members with the Developer role were able to push or merge to protected branches (GitLab Release).

The vulnerability is classified as a medium severity issue with a CVSS v3.1 base score of 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N). The issue specifically affects the protected branch access control mechanism in GitLab EE Premium and Ultimate, where the system incorrectly handled permissions for subgroup members with Developer roles (NVD).

The vulnerability could allow subgroup members with Developer role to bypass intended access restrictions on protected branches, potentially enabling unauthorized code modifications or merges to protected branches. This could compromise the integrity of the codebase in affected projects (GitLab Release).

The vulnerability has been fixed in GitLab versions 16.6.2, 16.5.4, and 16.4.4. Organizations are strongly recommended to upgrade to these patched versions immediately. GitLab has provided a script to help identify projects that may be subject to vulnerable configurations (GitLab Release).