CVE-2024-1299: 
GitLab vulnerability analysis and mitigation

A privilege escalation vulnerability (CVE-2024-1299) was discovered in GitLab affecting versions 16.8 prior to 16.8.4 and 16.9 prior to 16.9.2. The vulnerability allowed users with a custom role of 'managegroupaccess_tokens' to rotate group access tokens with owner privileges (GitLab Security, Debian Tracker).

The vulnerability is classified as a medium severity issue with a CVSS score of 6.5 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N). The specific flaw exists within the handling of group access tokens, where users with the 'managegroupaccess_tokens' permission could exploit the vulnerability to rotate and view access tokens with elevated owner privileges, despite having lower-level permissions (GitLab Security).

The vulnerability allows users with lower-level permissions to gain access to group access tokens with owner privileges, potentially leading to unauthorized access to resources and privilege escalation within the GitLab instance (GitLab Security).

GitLab has released patches to address this vulnerability in versions 16.8.4 and 16.9.2. Users are strongly recommended to upgrade their GitLab installations to these patched versions immediately. GitLab.com has already been updated with the security fix (GitLab Security).

The vulnerability was responsibly disclosed through GitLab's HackerOne bug bounty program by security researcher ashishrpadelkar. GitLab has acknowledged and addressed the issue as part of their regular security release cycle (GitLab Security).