CVE-2023-5356: 
GitLab vulnerability analysis and mitigation

Incorrect authorization checks in GitLab CE/EE affecting versions from 8.13 before 16.5.6, 16.6 before 16.6.4, and 16.7 before 16.7.2 were discovered. The vulnerability allows users to abuse Slack/Mattermost integrations to execute slash commands as another user (GitLab Release, NVD).

The vulnerability stems from non-correlation between token verification and user identification in slash command integrations. The flaw involves two steps: verification of the integration token and identification of the current user via team_id and user_id parameters. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) by NVD with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, while GitLab assessed it at 7.3 (HIGH) with vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N (NVD, GitLab Release).

The vulnerability enables attackers to execute any slash commands as victims, including executing ChatOps jobs, deploying between environments, and creating new issues or comments. The impact is significant as it allows command execution impersonating other users within the Slack/Mattermost integration context (Security Online).

GitLab has addressed this vulnerability in versions 16.5.6, 16.6.4, and 16.7.2. Users are strongly recommended to upgrade their GitLab installations to one of these patched versions immediately. GitLab.com has already been updated with the security fix (GitLab Release).