CVE-2021-22180: 
GitLab vulnerability analysis and mitigation

An issue was discovered in GitLab affecting all versions starting from 13.4 where improper access control allowed unauthorized users to access details on analytic pages. The vulnerability was reported through GitLab's HackerOne bug bounty program and was assigned CVE-2021-22180. The issue was publicly disclosed and patched in February 2021 (GitLab Release, CVE Mitre).

The vulnerability allowed unauthorized users to bypass access controls and view analytics pages in public projects even when the settings were configured to restrict access to 'Only Project Members'. While the analytics menu would not be visible to non-members as expected, users could still access the analytics pages by directly visiting specific URLs such as '/-/graphs/master/charts', 'insights/#/issues', and '-/analytics/code_reviews'. The vulnerability received a CVSS v3.1 score of 4.3 (MEDIUM) and a CVSS v2.0 score of 4.0 (MEDIUM) (NVD Results).

The vulnerability exposed analytics data to unauthorized users, potentially revealing sensitive project metrics and statistics that were intended to be restricted to project members only. This could lead to the disclosure of confidential project information and analytics insights to individuals who should not have access to such data (HackerOne Report).

The vulnerability was addressed in GitLab security releases 13.8.4, 13.7.7, and 13.6.7. GitLab strongly recommended that all installations running affected versions be upgraded to the latest version as soon as possible to mitigate this security issue (GitLab Release).