CVE-2023-3362: 
GitLab vulnerability analysis and mitigation

An information disclosure vulnerability (CVE-2023-3362) was discovered in GitLab CE/EE affecting all versions from 16.0 prior to 16.0.6, and version 16.1.0. The vulnerability allows unauthenticated actors to access import error information if a project was imported from GitHub (GitLab Release).

The vulnerability exists in the Import::GithubController#failures action, which was implemented without proper authorization checks. This allows unauthorized access to import errors of any project imported via GitHub through the endpoint https://gitlab.com/import/github/failures?project_id=PROJECT_ID. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (NVD).

The vulnerability allows unauthenticated users to access sensitive import error information from GitHub-imported projects. This could potentially expose internal configuration details, access tokens, or other sensitive information that might be contained in import error logs (GitLab Issue).

The vulnerability has been fixed in GitLab versions 16.0.6 and later by implementing proper authorization checks that verify if the user is the owner of the project. Users are strongly recommended to upgrade to a patched version. The fix includes adding a createdby(currentuser) check to ensure only project owners can access the import error information (GitLab Issue).

The vulnerability was discovered internally by GitLab team member Rodrigo Tomonari and was handled through GitLab's security release process. It was addressed as part of a larger security release that included fixes for several other vulnerabilities (GitLab Release).