CVE-2023-0483: 
GitLab vulnerability analysis and mitigation

CVE-2023-0483 is a security vulnerability discovered in GitLab affecting all versions starting from 12.1 before 15.7.8, 15.8 before 15.8.4, and 15.9 before 15.9.2. The vulnerability allows a project maintainer to extract a Datadog integration API key by modifying the site settings (GitLab Security).

The vulnerability has been assessed as medium severity with a CVSS score of 5.5 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N). The issue occurs when a maintainer intentionally sets an invalid host in the Datadog Site field and reviews logs after clicking the 'Test settings' button. When attempting to connect to the invalid host, the system returns an error message containing the full URL with the API token (GitLab Security).

The exploitation of this vulnerability could lead to the unauthorized disclosure of Datadog API keys. With access to these keys, malicious actors could potentially perform unauthorized actions on the victim's Datadog instance, compromising monitoring and observability systems (GitLab Security).

The vulnerability has been patched in GitLab versions 15.7.8, 15.8.4, and 15.9.2. Organizations are strongly recommended to upgrade to one of these versions or later to mitigate the risk. GitLab.com has already been updated with the patched version (GitLab Security).

The vulnerability was responsibly disclosed through GitLab's HackerOne bug bounty program by security researcher akadrian. GitLab addressed the issue promptly by releasing security patches and assigning it a medium severity rating (GitLab Security).