According to its self-reported version, the instance of GitLab running on the remote web server is 14.3+ prior to 14.9.5, or 14.10.x prior to 14.10.4, or 15.0.x prior to 15.0.1. It is, therefore, affected by an authentication bypass vulnerability exists in the group member lock setting. An authenticated, remote attacker can exploit this by adding a new member to the group through the REST API, even after the group owner enabled a setting to prevent members from being added to the projects within the group.

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.Read More