CVE-2021-39944: 
GitLab vulnerability analysis and mitigation

A permissions validation flaw was discovered in GitLab CE/EE affecting all versions from 11.0 before 14.3.6, 14.4 before 14.4.4, and 14.5 before 14.5.2. The vulnerability allowed group members with a developer role to elevate their privilege to maintainer level on projects they import. This high severity issue (CVSS:3.1 score: 7.1) was discovered by researcher @justas_b through GitLab's HackerOne bug bounty program and was assigned CVE-2021-39944 (GitLab Security Release).

The vulnerability stemmed from improper validation of the accesslevel field in the projectmembers.ndjson file during project imports. When importing a project, a developer could modify this field to set their access level to 40 (maintainer), thereby gaining elevated privileges in the imported project. The issue received a CVSS v3.1 base score of 7.1 (High) with the following vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N (GitLab Security Release).

The vulnerability allowed developers to gain maintainer-level access to projects they import, even when their group-level permissions were restricted to developer role. This elevated access could be exploited to add deploy tokens or keys and then demote themselves to a developer role or leave the project entirely, potentially maintaining unauthorized access (GitLab Security Release).

GitLab addressed this vulnerability in versions 14.5.2, 14.4.4, and 14.3.6. Users are strongly recommended to upgrade to one of these patched versions immediately. GitLab.com was already running the patched version at the time of disclosure (GitLab Security Release).