GitLab WebSocket Improper Access Control Vulnerability Allowing Method Invocation

A vulnerability exists in GitLab Community Edition (CE) and Enterprise Edition (EE) in versions 16.9.6 prior to 18.8.9, 18.9 prior to 18.9.5, and 18.10 prior to 18.10.3. This vulnerability could have allowed an authenticated user to invoke unintended server-side methods through WebSocket connections, due to improper access control. GitLab has released patches for this vulnerability in the versions 18.10.3, 18.9.5, and 18.8.9.

Impact

Exploitation of this vulnerability could lead to unauthorized invocation of server-side methods, potentially allowing for further actions or access on the server.

Remediation

Users are strongly recommended to upgrade to GitLab versions 18.10.3, 18.9.5, or 18.8.9. Instructions for updating GitLab can be found in the GitLab Update documentation. Note that the SLES 12.5 packages for 18.10.3 and 18.9.5 are not present in this release.