CVE-2023-0319: 
GitLab vulnerability analysis and mitigation

CVE-2023-0319 is a security vulnerability discovered in GitLab affecting all versions from 13.6 before 15.8.5, all versions from 15.9 before 15.9.4, and all versions from 15.10 before 15.10.1. The vulnerability allows unauthorized users to read environment names that were supposed to be restricted to project members only (GitLab Release).

The vulnerability exists in GitLab's environment name visibility controls. When environments are set to be visible for 'Only Project Members', unauthenticated users could still access environment names through the groups endpoint '/groups/Group1/-/unfolderedenvironment_names.json'. The issue has been assigned a CVSS v3.1 score of 5.8 (Medium severity) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N (GitLab Release).

The vulnerability allows unauthorized users to view environment names from public projects that were intended to be restricted to project members only, potentially exposing sensitive information about the project's infrastructure (GitLab Issue).

The vulnerability has been fixed in GitLab versions 15.8.5, 15.9.4, and 15.10.1. Users are strongly recommended to upgrade to these or later versions immediately. The fix implements proper authorization checks using before_action to ensure only authorized users can access environment names (GitLab Release).

The vulnerability was reported through GitLab's HackerOne bug bounty program by security researcher ashishrpadelkar. GitLab addressed the issue promptly and included the fix in their March 2023 security release (GitLab Release).