GitLab EE Improper Access Control Vulnerability in Group Security Configuration

A vulnerability has been addressed in GitLab Enterprise Edition (EE) versions 18.6 prior to 18.8.7, 18.9 prior to 18.9.3, and 18.10 prior to 18.10.1. This vulnerability allowed an authenticated user with the Planner role to access security category metadata and attributes in group security settings, due to inadequate access control. The issue was reported through GitLab's HackerOne bug bounty program.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive security metadata and attributes, potentially allowing for misuse in group security configurations.

Remediation

Users are advised to upgrade to GitLab EE versions 18.10.1, 18.9.3, or 18.8.7. Instructions for updating GitLab can be found on the GitLab Update page. Note that the SLES 12.5 package is not available for GitLab 18.10.1.