{"id":"CVE-2023-3907","summary":"Improper User Management in GitLab","details":"A privilege escalation vulnerability in GitLab EE affecting all versions from 16.0 prior to 16.4.4, 16.5 prior to 16.5.4, and 16.6 prior to 16.6.2 allows a project Maintainer to use a Project Access Token to escalate their role to Owner","aliases":["BIT-gitlab-2023-3907"],"modified":"2026-04-10T04:59:18.208492Z","published":"2023-12-17T23:02:36.694Z","database_specific":{"cwe_ids":["CWE-286"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/3xxx/CVE-2023-3907.json","cna_assigner":"GitLab"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/3xxx/CVE-2023-3907.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-3907"},{"type":"REPORT","url":"https://gitlab.com/gitlab-org/gitlab/-/issues/418878"},{"type":"REPORT","url":"https://hackerone.com/reports/2058934"},{"type":"PACKAGE","url":"git://git@gitlab.com:gitlab-org/gitlab.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://gitlab.com/gitlab-org/gitlab","events":[{"introduced":"280a09dbca836a6eedf5da1e63953fe8da44bf4c"},{"fixed":"67af793e55bd098111d3c3e265cd2c92eb283f1c"}],"database_specific":{"versions":[{"introduced":"16.0"},{"fixed":"16.4.4"}]}},{"type":"GIT","repo":"https://gitlab.com/gitlab-org/gitlab","events":[{"introduced":"fc87c9d4cca1536abcf902b4128f5c2004d87162"},{"fixed":"e61024519bb5cc50876f66ccd646ffb4f362cb9f"}],"database_specific":{"versions":[{"introduced":"16.5"},{"fixed":"16.5.4"}]}},{"type":"GIT","repo":"https://gitlab.com/gitlab-org/gitlab","events":[{"introduced":"94991886af3e3820aa09fa353b29cf8557c93168"},{"fixed":"fddcadf1869c436c104fcc477884a0c17c2b3c70"}],"database_specific":{"versions":[{"introduced":"16.6"},{"fixed":"16.6.2"}]}}],"versions":["v16.5.0-ee","v16.5.2-ee","v16.6.0-ee"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-3907.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N"}]}