An authorization bypass vulnerability was discovered in GitLab affecting versions 11.3 prior to 16.7.7, 16.7.6 prior to 16.8.4, and 16.8.3 prior to 16.9.2. An attacker could bypass CODEOWNERS by utilizing a crafted payload in an old feature branch to perform malicious actions.

References

• MISC:GitLab Issue #436977
• URL:https://gitlab.com/gitlab-org/gitlab/-/issues/436977
• MISC:HackerOne Bug Bounty Report #2295423
• URL:https://hackerone.com/reports/2295423
• MISC:https://about.gitlab.com/releases/2024/03/06/security-release-gitlab-16-9-2-released/
• URL:https://about.gitlab.com/releases/2024/03/06/security-release-gitlab-16-9-2-released/