CVE-2023-3115: 
GitLab vulnerability analysis and mitigation

An issue has been discovered in GitLab EE affecting all versions from 11.11 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. Single Sign On (SSO) restrictions were not correctly enforced for indirect project members accessing public members-only project repositories (GitLab Security Release, NVD).

The vulnerability allows Single Sign On restrictions to be bypassed when members without identity are invited via the 'invite a group' option. The issue affects public projects where SSO settings are enforced but fail to properly validate access for members who gain access through group invitations. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.4 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows unauthorized users to bypass SSO enforcement and access resources they should not have access to without proper SSO authentication. Affected users can access group settings, project repositories, create issues, merge requests, and run pipelines, effectively bypassing intended access controls (GitLab Security Release).

The vulnerability has been fixed in GitLab versions 16.2.8, 16.3.5, and 16.4.1. Organizations are strongly recommended to upgrade to these or later versions to address the security issue. The fix ensures proper enforcement of SSO restrictions for all access paths, including indirect group memberships (GitLab Security Release).