CVE-2023-1417: 
GitLab vulnerability analysis and mitigation

An unauthorized access vulnerability was discovered in GitLab affecting all versions starting from 15.9 before 15.9.4 and all versions starting from 15.10 before 15.10.1. The vulnerability allows an unauthorized user to add child epics linked to a victim's epic in an unrelated group (GitLab CVE, NVD).

The vulnerability exists due to improper validation of user-supplied data when handling epic relationships. An attacker with capabilities to create multi-level epics (requiring Ultimate license) can create malicious children epics by referring to a victim's epic via the parent_id through the REST API. The attacker can obtain the victim ID without being a member of the victim's group if the victim uses Public/Internal visibility (HackerOne Report).

The vulnerability allows attackers to create unauthorized associations between epics across different groups. This could lead to potential trust exploitation as victims may navigate to attacker-controlled epics, potentially exposing themselves to malicious content. The issue affects organizations using GitLab's epic feature, particularly those with Ultimate licenses (GitLab Issue).

GitLab has addressed this vulnerability in versions 15.9.4 and 15.10.1. Users are advised to upgrade to these or later versions to protect against unauthorized epic linking. Organizations should ensure they are running a patched version of GitLab to prevent unauthorized cross-group epic associations (NVD).