CVE-2023-1555: 
GitLab vulnerability analysis and mitigation

A vulnerability (CVE-2023-1555) was discovered in GitLab CE/EE affecting all versions starting from 15.2 before 16.1.5, all versions starting from 16.2 before 16.2.5, and all versions starting from 16.3 before 16.3.1. The vulnerability was related to namespace-level banned users being able to access the API, specifically allowing them to delete package registries (GitLab Release).

The vulnerability has been classified as a low severity issue with a CVSS score of 2.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N). The technical issue revolves around an access control vulnerability where banned users at the namespace level could still interact with the API, specifically maintaining the ability to delete package registries (GitLab Release).

The primary impact of this vulnerability is that banned users could continue to perform destructive actions through the API, specifically the ability to delete package registries, despite their banned status. This represents a bypass of intended access restrictions and could potentially lead to unauthorized deletion of package registry resources (GitLab Release).

The vulnerability has been fixed in GitLab versions 16.3.1, 16.2.5, and 16.1.5. Users are strongly recommended to upgrade to one of these patched versions immediately. GitLab.com was already running the patched version at the time of disclosure (GitLab Release).

The vulnerability was responsibly disclosed through GitLab's HackerOne bug bounty program by security researcher ali_shehab. GitLab addressed this security issue as part of their regular security release cycle (GitLab Release).