CVE-2023-2069: 
GitLab vulnerability analysis and mitigation

A vulnerability in GitLab affecting versions starting from 10.0 before 12.9.8, versions starting from 12.10 before 12.10.7, and versions starting from 13.0 before 13.0.1 allowed users with developer role to exploit project import functionality to access unauthorized data. The vulnerability, identified as CVE-2023-2069, was discovered and reported through GitLab's HackerOne bug bounty program by researcher js_noob (GitLab Security Release).

The vulnerability stems from insufficient access control mechanisms in GitLab's project import feature. Users with developer role could manipulate the protected branches settings during project import to gain unauthorized access to CI/CD variables. The issue has been assigned a medium severity rating with a CVSS score of 6.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) (GitLab Security Release).

The vulnerability allowed developers to bypass security controls and access masked group and project CI/CD variables. Additionally, it enabled developers to modify the main branch without requiring maintainer permissions, potentially compromising project integrity (GitLab Security Release).

GitLab has addressed this vulnerability by restricting imports to users with Maintainer role and above. However, this fix affected the usage of custom project templates at both group and instance levels, preventing developers from creating projects from custom templates. GitLab has indicated they are working on a patch to restore the ability for users with Developer role to create projects from templates (GitLab Security Release).