CVE-2023-5933: 
GitLab vulnerability analysis and mitigation

An issue has been discovered in GitLab CE/EE affecting all versions after 13.7 before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. The vulnerability involves improper input sanitization of user names that allows arbitrary API PUT requests (GitLab Advisory, NVD).

The vulnerability stems from insufficient sanitization of user names in GitLab's input handling. The CVSS v3.1 base score is rated as 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N according to GitLab's assessment, while NVD rates it at 5.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page) (NVD).

The vulnerability allows attackers to execute arbitrary API PUT requests on behalf of victims through HTML injection in user names. This could potentially lead to unauthorized actions being performed with the victim's privileges (GitLab Advisory).

GitLab has released patches in versions 16.6.6, 16.7.4, and 16.8.1 to address this vulnerability. It is strongly recommended that all affected installations be upgraded to one of these patched versions immediately. GitLab.com and GitLab Dedicated environments have already been updated with the necessary patches (GitLab Advisory).