CVE-2021-22198: 
GitLab vulnerability analysis and mitigation

An issue was discovered in GitLab CE/EE affecting all versions from 13.8 and above, identified as CVE-2021-22198. The vulnerability allows an authenticated user to delete incident metric images of public projects, even without proper permissions. The issue was disclosed on March 31, 2021, and affects both Community Edition (CE) and Enterprise Edition (EE) versions of GitLab (GitLab Release).

The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The issue specifically affects the metric images functionality in GitLab's incident management feature, where the access control implementation failed to properly validate user permissions when handling deletion requests for metric images (NVD).

The vulnerability allows authenticated users to delete metric images from public project incidents without having the appropriate permissions. This could lead to unauthorized removal of important incident-related visual data, potentially affecting incident documentation and analysis capabilities (GitLab Release).

The vulnerability has been fixed in GitLab versions 13.10.1, 13.9.5, and 13.8.7. Organizations running affected versions are strongly recommended to upgrade to one of these patched versions immediately to mitigate the security risk (GitLab Release).

The vulnerability was responsibly disclosed through GitLab's bug bounty program on HackerOne by security researcher @ashishrpadelkar. GitLab addressed the issue promptly by releasing security patches and assigning it a medium severity rating (GitLab Release).