GitLab CE/EE Missing Authorization Vulnerability in Custom Role Permissions

A vulnerability exists in GitLab Community Edition (CE) and Enterprise Edition (EE) versions 18.2 prior to 18.8.9, 18.9 prior to 18.9.5, and 18.10 prior to 18.10.3. This vulnerability allows an authenticated user with custom role permissions to demote or remove higher-privileged group members. The issue arises from improper authorization checks on member management operations.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in group member privileges, allowing lower-privileged users to disrupt the roles of higher-privileged members.

Remediation

Users are advised to upgrade to GitLab versions 18.10.3, 18.9.5, or 18.8.9. Instructions for updating GitLab can be found in the GitLab Update documentation. Note that the SLES 12.5 packages for 18.10.3 and 18.9.5 are not present in this release.