This issue has been fixed in GitLab 15.3.3. To upgrade your installation, follow these steps: In the main menu, click Upgrade In the Upgrade Guide section, click upgrade from GitLab version to version
This issue has been fixed in GitLab EE/EE+. To upgrade your installation, follow these steps: In the main menu, click Upgrade In the Upgrade Guide section, click upgrade from GitLab version to version
Impact: Access to the Incidents timeline is possible for all users, even if those users do not have permission to view other team members’ timelines.
An improper access control issue in GitLab EE/EE+ affecting all versions starting from 15.2 before 15.2.4, all versions from 15.3 before 15.3.2 allows disclosure of confidential information via the Incident details.
Impact: Access to the Incident details is possible for all users, even if those users do not have permission to view other team members’ details.
An improper access control issue in GitLab EE/EE+ affecting all versions starting from 15.2 before 15.2.4, all versions from 15.3 before 15.3.2 allows disclosure of confidential information via the Incident details.
Impact: Access to the Incident details is possible for all users, even if those users do not have permission to view other team members’ details.
An improper access control issue in GitLab
GitLab Core Issue
A vulnerability in GitLab EE/EE+ before 15.2.4, all versions from 15.3 before 15.3.2 could allow disclosure of confidential information via the Incident details by adding or removing a user to a project that has permission level "Private".
Isolation of the issue has begun .
This issue has been fixed in GitLab EE/EE+. To upgrade your installation, follow these steps: In the main menu, click Upgrade In the Upgrade Guide section, click upgrade from GitLab version to version
How to verify if you are affected
An improper access control issue in GitLab EE/EE+ affecting all versions starting from 15.2 before 15.2.4, all versions from 15.3 before 15.3.2 allows disclosure of confidential information via the Incident details.
Impact: Access to the Incidents timeline is possible for all users, even if those users do not have permission to view other team members’ timelines.
GitLab version and update history
GitLab EE/EE+ 15.2 introduced
GitLab EE/EE+ 15.3 introduced
GitLab 15.3 introduced
GitLab EE/EE+ 5.3 introduced
GitLab EE/EE+ 5.4 introduced
GitLab EE/EE+ 6.0 introduced
Timeline
Published on: 10/17/2022 16:15:00 UTC
Last modified on: 10/19/2022 18:00:00 UTC