CVE-2023-6680: 
GitLab vulnerability analysis and mitigation

An improper certificate validation issue was discovered in GitLab Enterprise Edition's Smartcard authentication feature affecting all versions from 11.6 prior to 16.4.4, 16.5 prior to 16.5.4, and 16.6 prior to 16.6.2. The vulnerability was disclosed on December 15, 2023, and was assigned identifier CVE-2023-6680. The vulnerability allows an attacker to authenticate as another user if they have access to that user's public key when Smartcard authentication is enabled (GitLab Release, NVD).

The vulnerability stems from an improper certificate validation in the Smartcard authentication implementation. The flaw allows an attacker to impersonate any user by simply sending an unauthenticated request to the endpoint '/-/smartcard/verify_certificate' with a URL-encoded version of the target user's public certificate. The vulnerability has been assigned a CVSS v3.1 base score of 7.4 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N. It's worth noting that Smartcard authentication is an experimental feature that must be manually enabled by an administrator (GitLab Release).

If exploited, this vulnerability allows an attacker to bypass authentication controls and impersonate any user who uses Smartcard authentication, provided they have access to the user's public certificate. This could lead to unauthorized access to sensitive information and resources within GitLab, potentially compromising the confidentiality and integrity of the affected system (NVD).

The vulnerability has been patched in GitLab versions 16.4.4, 16.5.4, and 16.6.2. Organizations running affected versions should upgrade to these patched versions immediately. The fix involves implementing encryption for the client certificate parameter when redirecting from the extract_certificate endpoint to the verify_certificate endpoint, preventing parameter manipulation (GitLab Release).

The vulnerability was responsibly disclosed by Lucas Serrano from PEReN (@LSerranoPEReN). GitLab has addressed the issue promptly by releasing security patches and assigning it a high severity rating (GitLab Release).