GitLab Community Edition (CE) and Enterprise Edition (EE) before 9.0.11, 9.1.8, 9.2.8 allow an authenticated user with the ability to create a group to add themselves to any project that is inside a subgroup.
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Gitlab | Gitlab | 9.0.0 (including) | 9.0.0 (including) |
| Gitlab | Gitlab | 9.0.1 (including) | 9.0.1 (including) |
| Gitlab | Gitlab | 9.0.2 (including) | 9.0.2 (including) |
| Gitlab | Gitlab | 9.0.3 (including) | 9.0.3 (including) |
| Gitlab | Gitlab | 9.0.4 (including) | 9.0.4 (including) |
| Gitlab | Gitlab | 9.0.5 (including) | 9.0.5 (including) |
| Gitlab | Gitlab | 9.0.6 (including) | 9.0.6 (including) |
| Gitlab | Gitlab | 9.0.7 (including) | 9.0.7 (including) |
| Gitlab | Gitlab | 9.0.8 (including) | 9.0.8 (including) |
| Gitlab | Gitlab | 9.0.9 (including) | 9.0.9 (including) |
| Gitlab | Gitlab | 9.0.10 (including) | 9.0.10 (including) |
| Gitlab | Gitlab | 9.1.0 (including) | 9.1.0 (including) |
| Gitlab | Gitlab | 9.1.1 (including) | 9.1.1 (including) |
| Gitlab | Gitlab | 9.1.2 (including) | 9.1.2 (including) |
| Gitlab | Gitlab | 9.1.3 (including) | 9.1.3 (including) |
| Gitlab | Gitlab | 9.1.4 (including) | 9.1.4 (including) |
| Gitlab | Gitlab | 9.1.5 (including) | 9.1.5 (including) |
| Gitlab | Gitlab | 9.1.6 (including) | 9.1.6 (including) |
| Gitlab | Gitlab | 9.1.7 (including) | 9.1.7 (including) |
| Gitlab | Gitlab | 9.2.0 (including) | 9.2.0 (including) |
| Gitlab | Gitlab | 9.2.1 (including) | 9.2.1 (including) |
| Gitlab | Gitlab | 9.2.2 (including) | 9.2.2 (including) |
| Gitlab | Gitlab | 9.2.3 (including) | 9.2.3 (including) |
| Gitlab | Gitlab | 9.2.4 (including) | 9.2.4 (including) |
| Gitlab | Gitlab | 9.2.5 (including) | 9.2.5 (including) |
| Gitlab | Gitlab | 9.2.6 (including) | 9.2.6 (including) |
| Gitlab | Gitlab | 9.2.7 (including) | 9.2.7 (including) |