CVE-2023-3950: 
GitLab vulnerability analysis and mitigation

An information disclosure vulnerability (CVE-2023-3950) was identified in GitLab Enterprise Edition (EE) affecting versions from 16.2 prior to 16.2.5, and 16.3 prior to 16.3.1. The vulnerability allowed group owners to view the Public Key for a Google Cloud Logging audit event streaming destination when configured (GitLab Release, NVD).

The vulnerability is classified as CWE-312 (Cleartext Storage of Sensitive Information). It received a CVSS v3.1 base score of 5.5 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N) from GitLab Inc., while the NVD assigned a score of 3.8 LOW (Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N) (NVD).

The vulnerability exposed Google Cloud private keys to other group owners who had access to the GitLab UI. This exposure could potentially allow unauthorized access to Google Cloud services using the leaked credentials (GitLab Issue).

GitLab has addressed this vulnerability in versions 16.2.5 and 16.3.1. The fix modifies the system so that owners can only write the key but not read it. Users are strongly recommended to upgrade to these patched versions (GitLab Release).