CVE-2024-1250

Name of the Vulnerable Software and Affected Versions: GitLab EE versions 16.8 through 16.8.2

Description: The issue is related to insecure privilege management in GitLab EE. When a user is assigned a custom role with the manage group access tokens permission, they may be able to create group access tokens with Owner privileges, leading to privilege escalation. This could allow a remote attacker to elevate their privileges.

Recommendations: For GitLab EE versions 16.8 through 16.8.2, consider disabling the custom role with the manage group access tokens permission until a patch is available to prevent potential privilege escalation. Restrict access to group access tokens to minimize the risk of exploitation. Avoid assigning the manage group access tokens permission to users who do not require it. At the moment, there is no information about a newer version that contains a fix for this vulnerability.