CVE-2023-3950 is a medium-severity information disclosure vulnerability affecting GitLab Enterprise Edition versions 16.2 up to but not including 16.2.5, and 16.3 up to but not including 16.3.1. The vulnerability arises from improper handling of sensitive information related to Google Cloud Logging audit event streaming destinations. Specifically, the Public Key used for this audit event streaming was stored in cleartext and accessible to all Group Owners within a GitLab instance. This means that any Group Owner could read the Public Key, which should be treated as sensitive information, potentially leading to unauthorized information disclosure. The vulnerability is categorized under CWE-312, which pertains to cleartext storage of sensitive data. The issue was addressed by changing permissions so that Group Owners can write the key but no longer have read access. The CVSS v3.1 base score is 5.5, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), but requires high privileges (PR:H) and no user interaction (UI:N). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact on confidentiality and integrity is low, with no impact on availability. No known exploits are reported in the wild at the time of publication. This vulnerability primarily impacts organizations using GitLab EE with Google Cloud Logging audit event streaming configured, where multiple Group Owners exist, potentially exposing sensitive cryptographic material to unauthorized privileged users within the same organization.

For European organizations, the impact of CVE-2023-3950 depends largely on their use of GitLab EE and Google Cloud Logging audit event streaming. Organizations that rely on GitLab for source code management and have configured Google Cloud audit event streaming with multiple Group Owners are at risk of internal information disclosure. Exposure of the Public Key could facilitate unauthorized access or manipulation of audit logs or related cloud resources if combined with other vulnerabilities or insider threats. Although the direct impact on confidentiality and integrity is rated low, the vulnerability could undermine trust in audit trail integrity and complicate compliance with European data protection regulations such as GDPR, which emphasize secure handling of sensitive information. Additionally, the vulnerability could increase insider threat risks, as privileged users might access sensitive keys beyond their intended permissions. This could be particularly concerning for organizations in regulated sectors like finance, healthcare, or critical infrastructure, where audit integrity and key confidentiality are paramount. However, since exploitation requires high privileges and no known exploits exist, the immediate risk is moderate but should not be ignored.

European organizations should promptly update GitLab EE to versions 16.2.5, 16.3.1, or later, where this vulnerability is patched. Until updates can be applied, organizations should review and restrict the number of Group Owners to the minimum necessary, reducing the attack surface. Implement strict access controls and auditing on privileged accounts to detect any unauthorized attempts to access sensitive keys. Additionally, organizations should consider rotating the affected Public Keys used for Google Cloud Logging audit event streaming after patching to invalidate any potentially exposed keys. Monitoring and alerting on unusual access patterns to audit configurations or key management interfaces can help detect exploitation attempts. Finally, organizations should review their internal policies regarding key management and privilege separation to ensure sensitive information is not unnecessarily exposed to multiple privileged users.