CVE-2021-39902: 
GitLab vulnerability analysis and mitigation

Incorrect Authorization vulnerability (CVE-2021-39902) was discovered in GitLab CE/EE versions 13.4 and above. The vulnerability allows users with guest membership in a project to modify the severity of an incident, exceeding their intended permissions. This security issue was reported through GitLab's HackerOne bug bounty program and was patched in versions 14.4.1, 14.3.4, and 14.2.6 released on October 28, 2021 (GitLab Release).

The vulnerability has been assigned a CVSS v3.1 score of 4.3 (Medium) severity. The issue stems from an incorrect authorization implementation that failed to properly validate user permissions when modifying incident severity levels. This allowed guest users to bypass intended access controls and modify incident severity settings, which should typically be restricted to users with higher privilege levels (NVD).

The vulnerability allows unauthorized modification of incident severity levels by guest users, potentially affecting incident management and response prioritization. This could lead to misrepresentation of security incidents' severity and impact the organization's incident response processes (GitLab Release).

The vulnerability has been fixed in GitLab versions 14.4.1, 14.3.4, and 14.2.6. Organizations are strongly recommended to upgrade to one of these versions immediately. No temporary workarounds were published for this vulnerability (GitLab Release).