GitLab CE/EE Improper Access Control Vulnerability in Project Fork Relationship API

A vulnerability exists in GitLab Community Edition (CE) and Enterprise Edition (EE) versions 11.2 prior to 18.9.6, 18.10 prior to 18.10.4, and 18.11 prior to 18.11.1. This vulnerability allows an authenticated user with project owner permissions to bypass group fork prevention settings under certain conditions, due to improper authorization checks. This could lead to unauthorized forking of projects, potentially allowing for malicious modifications or disruptions.

Impact

Exploitation of this vulnerability could result in unauthorized project forking, allowing project owners to bypass group fork prevention settings and potentially introduce malicious changes or disruptions.

Remediation

Users are advised to upgrade to GitLab versions 18.11.1, 18.10.4, or 18.9.6. Instructions for updating GitLab can be found on the GitLab Update page. For GitLab Runner, see the Updating the Runner page.