CVE-2023-4630: 
GitLab vulnerability analysis and mitigation

An information disclosure vulnerability (CVE-2023-4630) was discovered in GitLab affecting all versions from 10.6 before 16.1.5, versions from 16.2 before 16.2.5, and versions from 16.3 before 16.3.1. The vulnerability allows any user to read limited information about any project's imports. This vulnerability was discovered internally by GitLab team member Rodrigo Tomonari and was disclosed on August 31, 2023 (GitLab Advisory).

The vulnerability exists in the GET /api/v4/project/:ID/import endpoint, which can expose sensitive information about project imports. The endpoint returns a 404 status if the user doesn't have permission to READ the project and 200 if the user has permission, making it accessible for all public projects and private projects where the user has READ permission. The CVSS v3.1 base score is 5.0 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N (NVD).

The vulnerability could expose sensitive information through the import endpoint, including failedrelations.exceptionmessage and error_message fields, which might contain sensitive data such as access tokens or URLs if not properly filtered (GitLab Issue).

The vulnerability has been fixed in GitLab versions 16.1.5, 16.2.5, and 16.3.1. Organizations are strongly recommended to upgrade to one of these patched versions immediately. The fix involves implementing proper authorization checks to limit access to the import endpoint to users with appropriate permissions (GitLab Advisory).