CVE-2021-39903 in Community Editioninfo

Summary

by MITRE • 11/05/2021

In all versions of GitLab CE/EE since version 13.0, a privileged user, through an API call, can change the visibility level of a group or a project to a restricted option even after the instance administrator sets that visibility option as restricted in settings.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 11/10/2021

This vulnerability exists within GitLab Community Edition and Enterprise Edition platforms across all versions from 13.0 onwards, representing a significant privilege escalation flaw that undermines the platform's access control mechanisms. The technical flaw stems from a missing validation check in the application's API endpoints responsible for managing group and project visibility settings. Specifically, when a privileged user attempts to modify visibility levels through API calls, the system fails to properly verify whether the requested visibility level is permitted by the instance-wide settings configuration. This bypass occurs because the API implementation does not cross-reference the current instance-level restrictions with the user's requested changes, allowing unauthorized modification of visibility settings that should be restricted. The vulnerability directly violates the principle of least privilege and demonstrates a critical failure in the application's authorization framework.

The operational impact of this vulnerability is severe as it enables malicious or compromised privileged users to circumvent administrative controls designed to maintain security posture across the GitLab instance. An attacker with sufficient privileges could elevate their access level by changing project or group visibility to restricted options that are normally unavailable to them, potentially exposing sensitive code repositories or confidential project data to unauthorized personnel. This flaw particularly affects organizations that rely on GitLab's visibility controls as part of their security strategy, as it allows bypass of administrative restrictions that are intended to prevent data leakage or unauthorized access to sensitive information. The vulnerability can be exploited through automated API calls, making it particularly dangerous in environments where automated tooling or CI/CD pipelines interact with GitLab systems.

The root cause of this vulnerability aligns with CWE-693, which addresses Protection Mechanism Failure, and can be mapped to ATT&CK technique T1078.004 for Valid Accounts and T1484.001 for Privilege Escalation through abuse of administrative privileges. Organizations should implement immediate mitigations including disabling unnecessary API access for non-privileged users, enforcing strict access controls on administrative API endpoints, and monitoring API calls for suspicious visibility level changes. Additionally, administrators should regularly audit visibility settings and implement automated alerts when restricted visibility options are modified, as this represents a clear indicator of potential exploitation attempts. The vulnerability underscores the importance of proper input validation and authorization checks in web applications, particularly when dealing with sensitive configuration settings that control access to critical resources within enterprise platforms.

Responsible

GitLab Inc.

Reservation

08/23/2021

Disclosure

11/05/2021

Moderation

accepted

CPE

ready

EPSS

0.01098

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!