CVE-2021-22250: 
GitLab vulnerability analysis and mitigation

Improper authorization in GitLab CE/EE affecting all versions since 13.3 allowed users to view and delete impersonation tokens that administrators created for their account. The vulnerability was discovered and reported through GitLab's HackerOne bug bounty program by researcher @jimeno and was assigned CVE-2021-22250. The issue was patched in GitLab versions 14.1.2, 14.0.7, and 13.12.9 released on August 3, 2021 (GitLab Security Release).

The vulnerability allowed regular users to list and delete impersonation tokens created for their accounts by administrators, which should have been restricted to administrator access only. The issue could be exploited by using the GitLab API with a personal access token to list and subsequently delete impersonation tokens. This vulnerability was rated as medium severity with a CVSS score of 5.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) (GitLab Security Release).

The vulnerability allowed unauthorized users to view when an administrator had created an impersonation token for their account and gave them the ability to revoke these administrator-created tokens. This could potentially disrupt administrative access and monitoring capabilities that relied on impersonation tokens (GitLab Issue).

The vulnerability was fixed in GitLab versions 14.1.2, 14.0.7, and 13.12.9. Organizations were strongly recommended to upgrade to these versions immediately. The fix restricted the ability to view and manage impersonation tokens to administrators only, as originally intended (GitLab Security Release).