CVE-2023-6840: 
GitLab vulnerability analysis and mitigation

An issue has been discovered in GitLab Enterprise Edition (EE) affecting all versions from 16.4 prior to 16.6.7, 16.7 prior to 16.7.5, and 16.8 prior to 16.8.2 which allows a maintainer to change the name of a protected branch that bypasses the security policy added to block MR (GitLab Security, NVD).

The vulnerability allows project maintainers to bypass group's scan result policy block_branch_modification setting. When this setting is enabled, it should prevent users from removing a branch from the protected branches list, deleting a protected branch, or changing the default branch if that branch is included in the security policy. However, maintainers can bypass this protection by sending an API request to update the protected branch name, effectively removing the protection status (GitLab Issue). The vulnerability has been assigned a CVSS v3.1 base score of 6.7 (Medium) with vector: AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H (NVD).

The vulnerability allows maintainers to bypass security policies and remove protection status from branches, potentially enabling the merging of vulnerable code. This undermines the security controls put in place by group owners to prevent unauthorized modifications to protected branches (GitLab Issue).

The vulnerability has been fixed in GitLab versions 16.6.7, 16.7.5, and 16.8.2. Users are strongly recommended to upgrade to these patched versions immediately. The fix prevents the modification of protected branch names when the block_branch_modification setting is enabled (GitLab Security).