CVE-2023-3932: 
GitLab vulnerability analysis and mitigation

An issue was discovered in GitLab Enterprise Edition (EE) affecting all versions starting from 13.12 before 16.0.8, all versions starting from 16.1 before 16.1.3, and all versions starting from 16.2 before 16.2.2. The vulnerability allowed attackers to run pipeline jobs as an arbitrary user via scheduled security scan policies (NVD, GitLab Release).

The vulnerability exists in GitLab's scan execution policy feature where an attacker could manipulate the git configuration to impersonate another user and trigger pipelines under their identity. The attack requires the attacker to know the victim's GitLab username and the name of a victim's internal or members-only project. The CVSS v3.1 base score is 8.2 (HIGH) with vector: AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N (SecurityWeek).

The successful exploitation of this vulnerability allows attackers to gain unauthorized access to private code repositories, internal repositories, member-only repositories, registries, and other resources by obtaining the victim's CIJOBTOKEN. This enables the attacker to access and potentially exfiltrate sensitive information from private projects (GitLab Issue).

GitLab has released security updates to address this vulnerability. Users are strongly recommended to upgrade to versions 16.0.8, 16.1.3, or 16.2.2 or later. For users unable to upgrade immediately, the vulnerability can be mitigated by disabling either the 'Direct transfers' feature or the 'Security policies' feature, as the vulnerability only exists when both features are enabled simultaneously (GitLab Release).

The vulnerability was reported through GitLab's HackerOne bug bounty program. GitLab treated this as a critical security issue and released patches promptly. A subsequent bypass of this vulnerability (CVE-2023-5009) was later discovered and patched in September 2023, highlighting the ongoing attention to security within the GitLab community (SecurityWeek).