Key Vulnerability Information CVE ID: CVE-2021-39897 Assigner: cve@gitlab.com Affected GitLab Versions: >=12.9, =12.10, =13.0, <13.0.1 Vulnerability Type: Improper access control in GitLab Description: In GitLab CE/EE versions 10.5 and above, after a subgroup is moved to another group, members of the subgroup who inherited access permissions from the parent group can still access projects. Related Links: GitLab Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/341017 HackerOne Report: https://hackerone.com/reports/1330806 CVE Confirmation: https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39897.json CVSS Assessment: Attack Vector: Network (NETWORK) Attack Complexity: High (HIGH) User Interaction: Required (REQUIRED) Base Score: 2.6 Base Severity: Low (LOW) Acknowledgement: Thanks to joaxcar for reporting this vulnerability via the HackerOne bug bounty program.