CVE-2023-0223: 
GitLab vulnerability analysis and mitigation

CVE-2023-0223 is a security vulnerability discovered in GitLab affecting all versions starting from 15.5 before 15.7.8, all versions starting from 15.8 before 15.8.4, and all versions starting from 15.9 before 15.9.2. The vulnerability allows non-project members to retrieve release descriptions via the API, even when the release visibility is restricted to project members only in the project settings (GitLab Release).

The vulnerability is classified as a medium severity issue with a CVSS score of 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). The issue stems from improper access control in the Tags API endpoint, which exposes release descriptions even when releases are set to be visible only to project members. The vulnerability specifically affects the API endpoint /api/v4/projects/{id}/repository/tags which leaked release information through the Description field in the response (GitLab Release).

The vulnerability allows unauthorized users to access potentially sensitive information contained in release descriptions that were intended to be restricted to project members only. This information disclosure could expose confidential release notes, internal documentation, or other sensitive project details that were meant to be private (GitLab Issue).

The vulnerability has been fixed in GitLab versions 15.7.8, 15.8.4, and 15.9.2. Organizations running affected versions should upgrade to the patched versions immediately. The fix involves implementing proper permission checks for the :read_release permission in the Tags API before showing Releases with Tags (GitLab Release).