CVE-2023-2190: 
GitLab vulnerability analysis and mitigation

A vulnerability was discovered in GitLab CE/EE affecting all versions starting from 13.10 before 15.11.10, all versions starting from 16.0 before 16.0.6, and all versions starting from 16.1 before 16.1.1. The vulnerability (CVE-2023-2190) allows users to view new commits to private projects in forks that were created while the project was public. This security issue was reported through GitLab's HackerOne bug bounty program (GitLab Security).

The vulnerability stems from improper access control mechanisms in GitLab's comparison functionality. When a public project is forked and then made private, the access controls fail to properly restrict visibility of new commits. The issue was rated as medium severity with a CVSS score of 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). The vulnerability exists in the comparison functionality where the code fails to properly validate access permissions when handling project comparisons (GitLab Issue).

The primary impact of this vulnerability is the potential exposure of private repository content. When exploited, it allows unauthorized users to view commits made to a private repository through forks that were created when the project was public, effectively bypassing the privacy controls put in place when the repository was made private (GitLab Security).

GitLab has addressed this vulnerability in versions 15.11.10, 16.0.6, and 16.1.1. Users are strongly recommended to upgrade their GitLab installations to one of these patched versions immediately. GitLab.com has already been updated with the security fix (GitLab Security).