CVE-2024-0861

Name of the Vulnerable Software and Affected Versions GitLab EE versions 16.4 through 16.7.5 GitLab EE versions 16.8 through 16.8.2 GitLab EE versions 16.9 through 16.9.0

Description An issue has been discovered in GitLab EE, where users with the Guest role can change Custom dashboard projects settings contrary to their permissions. This is related to deficiencies in the authorization procedure, which can be exploited by a remote attacker to modify the custom dashboard projects settings.

Recommendations For GitLab EE versions 16.4 through 16.7.5, update to version 16.7.6 or later. For GitLab EE versions 16.8 through 16.8.2, update to version 16.8.3 or later. For GitLab EE versions 16.9 through 16.9.0, update to version 16.9.1 or later. As a temporary workaround, consider restricting the Guest role's access to the Custom dashboard projects settings until a patch is available.