CVE-2023-3949: 
GitLab vulnerability analysis and mitigation

CVE-2023-3949 is a security vulnerability discovered in GitLab affecting all versions from 11.3 before 16.4.3, versions from 16.5 before 16.5.3, and versions from 16.6 before 16.6.1. The vulnerability was disclosed on December 1, 2023, and allows unauthorized users to view public projects' release descriptions via an atom endpoint when release access was set to only project members (NVD, GitLab Issue).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The issue is classified under CWE-201 (Insertion of Sensitive Information Into Sent Data). The vulnerability specifically affects the atom endpoint functionality in GitLab's release access control mechanism (NVD).

The vulnerability allows unauthorized users to access release descriptions in public projects through the atom endpoint, even when the release access is explicitly restricted to project members only. This results in potential exposure of sensitive information that was intended to be private to project members (GitLab Issue).

The issue has been fixed in GitLab versions 16.4.3, 16.5.3, and 16.6.1. Users are advised to upgrade to these or later versions to mitigate the vulnerability (NVD).