CVE-2023-5198: 
GitLab vulnerability analysis and mitigation

An issue was discovered in GitLab affecting all versions prior to 16.2.7, all versions starting from 16.3 before 16.3.5, and all versions starting from 16.4 before 16.4.1. The vulnerability allowed removed project members to write to protected branches using deploy keys (GitLab Release, NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The issue stems from an authorization flaw where deploy keys could still be used to write to protected branches even after a user's project membership was revoked (GitLab Release).

The vulnerability allows unauthorized access to protected branches through deploy keys after user removal, potentially compromising the integrity of protected code branches. This particularly affects scenarios where removed project members retain access to deploy keys, enabling them to continue making unauthorized modifications to protected branches (GitLab Release).

The vulnerability has been fixed in GitLab versions 16.2.7, 16.3.5, and 16.4.1. Organizations are strongly recommended to upgrade to these or newer versions immediately. GitLab.com has already been updated with the patched version (GitLab Release).

The vulnerability was responsibly disclosed through GitLab's HackerOne bug bounty program by security researcher 'theluci'. GitLab has classified this as a medium severity issue and promptly addressed it in their security release (GitLab Release).