CVE-2024-1250 is a privilege escalation vulnerability identified in GitLab Enterprise Edition (EE) versions starting from 16.8 up to but not including 16.8.2. The issue arises when a user is assigned a custom role that includes the permission 'manage_group_access_tokens'. This permission is intended to allow management of group access tokens but due to improper permission validation, such users can create group access tokens with Owner-level privileges. Owner privileges in GitLab provide extensive control over group resources, including repository management, user access control, and configuration settings. This vulnerability is classified under CWE-268 (Improper Privilege Management), indicating a failure to correctly enforce privilege boundaries. The CVSS v3.1 base score is 6.5 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), high privileges required (PR:H), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality and integrity (C:H/I:H), but no impact on availability (A:N). Exploitation does not require user interaction but does require the attacker to have a high privilege level (custom role with manage_group_access_tokens permission). There are no known exploits in the wild at the time of publication. The vulnerability could allow an attacker with limited administrative privileges to escalate to full Owner privileges within a GitLab group, potentially leading to unauthorized code changes, data exposure, or disruption of development workflows.

For European organizations using GitLab EE, this vulnerability poses a significant risk to the confidentiality and integrity of source code and project data. Organizations relying on GitLab for critical software development, including government agencies, financial institutions, and technology companies, could face unauthorized access to sensitive intellectual property or disruption of development pipelines. The ability to escalate privileges to Owner level could allow attackers to manipulate repositories, inject malicious code, or exfiltrate confidential information. Given the collaborative nature of GitLab groups, a compromised Owner account could also impact multiple projects and users, amplifying the damage. The medium severity rating reflects the requirement for the attacker to already have elevated privileges, but the lack of user interaction and network exploitability means that insider threats or compromised accounts with custom roles are at particular risk. This vulnerability could also undermine compliance with European data protection regulations if sensitive data is exposed or altered.

European organizations should promptly upgrade GitLab EE installations from version 16.8 to 16.8.2 or later, where this vulnerability is fixed. Until patching is possible, organizations should audit and restrict the assignment of custom roles with the 'manage_group_access_tokens' permission to only the most trusted administrators. Implement strict role-based access control (RBAC) policies and regularly review role assignments to minimize the number of users with elevated permissions. Enable and monitor GitLab audit logs to detect unusual creation of group access tokens or privilege escalations. Consider implementing multi-factor authentication (MFA) for all users with administrative privileges to reduce the risk of account compromise. Additionally, organizations should conduct internal security awareness training to highlight the risks of privilege escalation and encourage reporting of suspicious activity. Finally, segregate critical projects into separate groups with minimal Owner assignments to limit the blast radius of any potential exploit.