CVE-2023-3509: 
GitLab vulnerability analysis and mitigation

A security vulnerability (CVE-2023-3509) was discovered in GitLab affecting all versions before 16.7.6, versions 16.8 before 16.8.3, and versions 16.9 before 16.9.1. The vulnerability allowed group members with sub-maintainer role to modify the titles of privately accessible deploy keys associated with projects in the group (GitLab Security, NVD).

The vulnerability stems from insufficient authorization checks in GitLab's deploy key management functionality. The issue allowed users with sub-maintainer role to view and modify deploy key titles, which should normally be restricted to maintainers and owners. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NVD and 3.7 (Low) by GitLab, with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (NVD).

The vulnerability could allow unauthorized users to view project deploy keys and modify their titles, potentially misleading project maintainers or owners. Even after being removed from the victim project, attackers could continue to view and modify deploy key titles, which could lead to confusion and potential disruption of services that depend on these keys (GitLab Issue).

The vulnerability has been patched in GitLab versions 16.7.6, 16.8.3, and 16.9.1. Users are strongly recommended to upgrade to these or later versions to address this security issue. GitLab.com has already been updated with the patched version (GitLab Security).

The vulnerability was initially reported through GitLab's bug bounty program on HackerOne by security researcher 'theluci'. GitLab has classified this as a low-severity issue due to its limited impact and the requirement for authenticated access (GitLab Security).