CVE-2023-3363: 
GitLab vulnerability analysis and mitigation

An information disclosure vulnerability (CVE-2023-3363) was identified in GitLab CE/EE affecting all versions from 13.6 prior to 15.11.10, all versions from 16.0 prior to 16.0.6, and all versions from 16.1 prior to 16.1.1. The vulnerability resulted in webhook tokens being exposed in Sidekiq logs when the log format was set to 'default' (GitLab Security Release).

The vulnerability is classified as CWE-532 (Insertion of Sensitive Information into Log File) with a CVSS v3.1 score of 3.9 (LOW) and vector string CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N. The issue occurs specifically when the Sidekiq logging format is set to 'default', causing the X-Gitlab-Token to be displayed in clear text during the WebHooks::LogExecutionWorker execution (NVD).

The vulnerability could lead to the exposure of webhook tokens in log files, potentially compromising the security of webhook communications. When exploited, this could allow attackers with access to log files to intercept and potentially abuse webhook tokens (GitLab Security Release).

The vulnerability has been patched in GitLab versions 15.11.10, 16.0.6, and 16.1.1. Organizations are strongly recommended to upgrade to these or later versions immediately. As a temporary workaround, organizations can consider changing the log format to 'json' instead of 'default' as the issue does not occur with json logging format (GitLab Security Release).

The vulnerability was reported by Martin Vaisset from MyMoneyBank and was addressed as part of GitLab's security release process. GitLab has classified this as a low-severity issue due to its limited impact and high requirements for exploitation (GitLab Security Release).