CVE-2021-39897: 
GitLab vulnerability analysis and mitigation

Improper access control vulnerability in GitLab CE/EE version 10.5 and above allowed subgroup members with inherited access to a project from a parent group to maintain access even after the subgroup is transferred. The vulnerability was discovered in 2021 and was assigned identifier CVE-2021-39897 (GitLab Security Release).

The vulnerability stems from an access control issue where users who gained access to a project through group inheritance maintained their access privileges even after organizational changes. When a project is shared with a subgroup, users from parent groups receive inherited access. However, if the subgroup is transferred to another parent group, the users from the original parent group retained their access instead of having it properly revoked (GitLab Issue).

The vulnerability could result in unauthorized access to private projects. In worst-case scenarios, users could retain maintainer-level access to projects even after organizational changes, allowing them to access project settings and repositories without the project owner's knowledge. This created a situation where projects could have 'ghost' members with access levels ranging from Guest to Maintainer (GitLab Security Release).

The vulnerability was patched in GitLab versions 14.4.1, 14.3.4, and 14.2.6. Organizations were strongly recommended to upgrade to these versions or later to address the security issue. As a temporary workaround before patching, project owners could review and modify project access settings, as inviting a new group would remove all hidden members (GitLab Security Release).