GitLab EE GraphQL Mutation Authorization Vulnerability

A vulnerability has been identified in GitLab Enterprise Edition (EE) versions 18.3 prior to 18.3.4 and 18.4 prior to 18.4.2. This vulnerability could have allowed authenticated users with read-only API tokens to execute unauthorized write operations on vulnerability records. The issue arose from incorrectly scoped GraphQL mutations, which under certain conditions, could be exploited to manipulate vulnerability data.

Impact

Exploitation of this vulnerability could lead to unauthorized modifications of vulnerability records, potentially allowing for the manipulation of issue tracking and project management processes.

Remediation

Users are advised to upgrade to GitLab versions 18.4.2, 18.3.4, or 18.2.8. Instructions for updating GitLab can be found in the GitLab Update documentation. After upgrading, be aware that this patch includes database migrations that may impact your installation.