GitLab
Moderate fix3 remedies
cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*, +2 more
Moderate fix3 remedies
- >= 17.7, < 17.7.6
- >= 17.8, < 17.8.4
- >= 17.9, < 17.9.1
GitLab EE Improper Authorization Vulnerability in Project Analytics Access
Vulnerability
Patched
A vulnerability exists in GitLab EE versions 17.7 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1. This vulnerability allows users with planner roles to access sensitive project analytics data, specifically code review analytics, in private projects. This access is unauthorized, as the documentation states that such analytics should only be available to users with reporter roles or higher.
Impact
Exploitation of this vulnerability allows unauthorized access to code review analytics in private projects, which could lead to a misrepresentation of user roles and permissions.
Reproduction
To reproduce this vulnerability, a user with a planner role can be invited to a private project by a user with an ultimate plan. Once added, the planner role user can access the code review analytics section of the project, despite the documentation stating that this access should be restricted to users with reporter roles or higher.
Remediation
Users can update to GitLab EE versions 17.7.6, 17.8.4, or 17.9.1, where this vulnerability has been fixed.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
7.3impact
2.5exploitability
6.6remediation
7.7relevance
0.0threat
6.4urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.