GitLab CE/EE Improper Access Control Vulnerability in Snippet Rendering

A vulnerability exists in GitLab Community Edition (CE) and Enterprise Edition (EE) versions 15.6 prior to 18.7.6, 18.8 prior to 18.8.6, and 18.9 prior to 18.9.2. This vulnerability allows authenticated users to unintentionally disclose metadata from private issues, merge requests, epics, milestones, or commits. The issue arises from inadequate filtering during the snippet rendering process, which can be exploited under certain circumstances.

Impact

Exploitation of this vulnerability could lead to unauthorized disclosure of metadata from private project elements, including issues, merge requests, epics, milestones, and commits.

Remediation

Users are advised to upgrade to GitLab versions 18.9.2, 18.8.6, or 18.7.6. Instructions for updating GitLab can be found on the GitLab Update page. For GitLab Runner, refer to the Updating the Runner page.