CVE-2023-4812
📋 TL;DR
This vulnerability allows attackers to bypass CODEOWNERS approval requirements in GitLab EE by adding changes to previously approved merge requests. It affects all GitLab EE instances running vulnerable versions, potentially enabling unauthorized code changes.
💻 Affected Systems
- GitLab EE
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Unauthorized users could push malicious code to protected branches, leading to supply chain attacks, backdoor insertion, or sensitive data exposure.
Likely Case
Internal users with merge request access could bypass approval workflows to push unauthorized changes, violating change control policies.
If Mitigated
With proper access controls and monitoring, impact is limited to policy violations rather than direct compromise.
🎯 Exploit Status
Exploitation requires existing merge request access. Attack pattern is simple and well-documented in the vulnerability report.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.5.6, 16.6.4, or 16.7.2
Vendor Advisory: https://about.gitlab.com/releases/2023/11/30/critical-security-release-gitlab-16-7-2-released/
Restart Required: Yes
Instructions:
1. Backup GitLab instance. 2. Update to patched version using GitLab's update instructions. 3. Restart GitLab services. 4. Verify update completed successfully.
🔧 Temporary Workarounds
Disable CODEOWNERS feature
allTemporarily disable CODEOWNERS approval requirements until patching is possible
Navigate to Project Settings > Repository > Protected branches and adjust approval settings
Require re-approval on MR updates
allManually configure projects to require fresh approvals when merge requests are updated
Set up project rules to require new approvals on MR modifications
🧯 If You Can't Patch
- Implement strict merge request monitoring and require manual verification of all changes before merging
- Reduce merge request permissions to minimal necessary users and implement two-person review for all changes
🔍 How to Verify
Check if Vulnerable:
Check GitLab version via Admin Area > Overview or run: sudo gitlab-rake gitlab:env:infoCheck Version:
sudo gitlab-rake gitlab:env:info | grep 'GitLab version'Verify Fix Applied:
Confirm version is 16.5.6+, 16.6.4+, or 16.7.2+ and test CODEOWNERS approval bypass is no longer possible📡 Detection & Monitoring
Log Indicators:
- Merge requests approved then modified without re-approval
- CODEOWNERS approval bypass attempts in audit logs
Network Indicators:
- Unusual merge request activity patterns
SIEM Query:
gitlab_audit_event:merge_request AND (action:approved AND subsequent_action:modified)