CVE-2023-3115 is a medium-severity vulnerability identified in GitLab Enterprise Edition (EE) versions from 11.11 up to versions prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. The vulnerability stems from incorrect user management related to Single Sign-On (SSO) restrictions enforcement. Specifically, the issue affects indirect project members attempting to access public members-only project repositories. In this context, indirect project members are users who gain access to a project not through direct membership but via group membership or other nested access controls. The flaw allows these indirect members to bypass SSO restrictions that should normally limit access, potentially granting unauthorized read access to repository content. The vulnerability is classified under CWE-286 (Incorrect Authorization), indicating that the system fails to properly enforce access control policies. The CVSS v3.1 base score is 5.4 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), and limited confidentiality and integrity impact (C:L/I:L), with no impact on availability (A:N). No known exploits in the wild have been reported to date. The vulnerability affects a broad range of GitLab EE versions, which are widely used for source code management and DevOps lifecycle management in enterprises. The root cause is the failure to enforce SSO restrictions correctly for indirect members, which could lead to unauthorized information disclosure within organizations relying on GitLab for code hosting and collaboration.

For European organizations, this vulnerability poses a risk of unauthorized access to sensitive source code and project data, especially in environments where SSO is enforced to restrict access to certain projects. Unauthorized disclosure of source code can lead to intellectual property theft, exposure of security-sensitive information such as credentials or secrets embedded in code, and potential facilitation of further attacks such as supply chain compromises. Organizations using GitLab EE with SSO configurations are particularly at risk if they rely on indirect membership for access control. The impact is primarily confidentiality loss, with limited integrity impact and no availability impact. Given the widespread adoption of GitLab in European enterprises, including technology companies, financial institutions, and government agencies, the vulnerability could undermine trust in internal security controls and compliance with data protection regulations such as GDPR if sensitive data is exposed. However, the requirement for some level of privileges (indirect membership) and no user interaction reduces the likelihood of mass exploitation. Still, targeted attacks or insider threats could leverage this flaw to gain unauthorized access to project repositories.

European organizations should promptly upgrade GitLab EE to the fixed versions: 16.2.8 or later, 16.3.5 or later, and 16.4.1 or later, depending on their current version. Until patching is complete, organizations should audit indirect project memberships and SSO configurations to ensure that access controls are as restrictive as possible. Specifically, review group memberships and nested access rights to minimize indirect access to sensitive projects. Implement monitoring and alerting on unusual access patterns to public members-only repositories, especially from indirect members. Additionally, consider temporarily disabling indirect membership access to sensitive projects if feasible. Organizations should also review their SSO integration settings to confirm that enforcement policies are correctly applied and test access restrictions thoroughly. Employing the principle of least privilege in project memberships and regularly reviewing access rights can reduce exposure. Finally, maintain an incident response plan to address any potential unauthorized access incidents stemming from this vulnerability.