CVE-2023-1936: 
GitLab vulnerability analysis and mitigation

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows an attacker to leak the email address of a user who created a service desk issue. The vulnerability was reported through GitLab's HackerOne bug bounty program and was assigned CVE-2023-1936 (GitLab Security Release).

The vulnerability exists in GitLab's Service Desk feature, which allows non-members to create issues by sending emails. While GitLab implemented email address redaction for service desk issues in version 15.9, requiring at least Reporter role to view sender addresses, the vulnerability allowed users with guest role to access these redacted email addresses through the API endpoint /api/v4/projects/:id/issues. The email address was exposed in the service_desk_reply_to field of the API response. This is classified as a low severity issue with a CVSS score of 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N) (GitLab Security Release).

The vulnerability allows guest users to bypass GitLab's privacy controls and access email addresses of users who created service desk issues, even in cases where these addresses should be redacted. This impacts the confidentiality of user information and could potentially expose private email addresses to unauthorized users (GitLab Security Release).

The vulnerability has been fixed in GitLab versions 15.11.10, 16.0.6, and 16.1.1. Users are strongly recommended to upgrade to these or later versions immediately. GitLab.com has already been updated with the patched version (GitLab Security Release).