CVE-2021-39903

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 13.0 and later

Description A privileged user can change the visibility level of a group or a project to a restricted option through an API call, even after the instance administrator sets that visibility option as restricted in settings. This issue affects all versions of GitLab CE/EE since version 13.0.

Recommendations For GitLab CE/EE versions 13.0 and later, restrict access to the API endpoint that allows changing the visibility level of groups or projects until a patch is available. As a temporary workaround, consider disabling the ability for privileged users to modify visibility settings for groups and projects.