CVE-2023-0989: 
GitLab vulnerability analysis and mitigation

An information disclosure vulnerability (CVE-2023-0989) was discovered in GitLab CE/EE affecting all versions from 13.11 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. The vulnerability allows attackers to extract non-protected CI/CD variables by tricking users to visit a fork with a malicious CI/CD configuration (GitLab Security, NVD).

The vulnerability involves the processing of CI/CD configurations in forked projects. An attacker can exploit this by creating a malicious CI/CD configuration in a forked project and tricking a user to visit it, leading to the disclosure of non-protected CI/CD variables. The issue has been assigned a medium severity rating with a CVSS score of 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) (GitLab Security).

The vulnerability allows unauthorized access to non-protected CI/CD variables, which could potentially expose sensitive configuration information. This information disclosure could be leveraged by attackers to gain insights into the target's CI/CD infrastructure and potentially lead to further attacks (GitLab Security).

The vulnerability has been fixed in GitLab versions 16.2.8, 16.3.5, and 16.4.1. Organizations are strongly recommended to upgrade to these or later versions immediately to mitigate the risk. GitLab.com has already been updated with the patched version (GitLab Security).

The vulnerability was responsibly disclosed through GitLab's HackerOne bug bounty program by security researcher shells3c, demonstrating the effectiveness of GitLab's security response program (GitLab Security).