CVE-2021-22172: 
GitLab vulnerability analysis and mitigation

Improper authorization in GitLab versions 12.8 and above allows a guest user in a private project to view tag data that should be inaccessible on the releases page. The vulnerability was discovered in early 2021 and assigned identifier CVE-2021-22172. This security issue affects GitLab Community Edition (CE) and Enterprise Edition (EE) installations (GitLab Security Release, NVD).

The vulnerability stems from an authorization control issue where guest users could access tag information through the releases page and API endpoints, despite lacking the proper permissions. The issue has a CVSS v3.1 score of 4.3 (Medium) with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility with low attack complexity and privileged access requirements (GitLab Security Release).

The vulnerability allows guest users to view tag data in private projects that should be restricted, leading to unauthorized access to potentially sensitive version control information. According to GitLab's documentation, guest users should only be able to access GitLab Releases for downloading assets but should not have access to repository information like tags and commits (GitLab Issue).

The vulnerability was patched in GitLab versions 13.8.2, 13.7.6, and 13.6.6. GitLab strongly recommends that all installations running affected versions be upgraded to the latest version as soon as possible to mitigate this security issue (GitLab Security Release).