Jobert

**Name of the Vulnerable Software and Affected Versions** GitLab Enterprise Edition versions 11.1.7 and earlier, 11.2.x before 11.2.4, 11.3.x before 11.3.1 **Description** An issue was discovered related to the "merge request approvals" feature, where attackers could obtain sensitive information about group names, avatars, LDAP settings, and descriptions via an insecure direct object reference. This could allow a remote attacker to gain unauthorized access to protected information. **Recommendations** For versions 11.1.7 and earlier, update to version 11.1.7 or later. For versions 11.2.x before 11.2.4, update to version 11.2.4 or later. For versions 11.3.x before 11.3.1, update to version 11.3.1 or later. As a temporary workaround, consider restricting access to the "merge request approvals" feature until a patch is available.

Name of the Vulnerable Software and Affected Versions: GitLab Community and Enterprise Edition versions prior to 11.4.13 GitLab Community and Enterprise Edition versions 11.5.x prior to 11.5.6 GitLab Community and Enterprise Edition versions 11.6.x prior to 11.6.1 Description: The issue is related to Incorrect Access Control. Recommendations: For versions prior to 11.4.13, update to version 11.4.13 or later. For versions 11.5.x prior to 11.5.6, update to version 11.5.6 or later. For versions 11.6.x prior to 11.6.1, update to version 11.6.1 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab Enterprise Edition versions 11.5.8 and earlier, 11.6.x before 11.6.6, 11.7.x before 11.7.1 **Description** An issue was discovered in the Jira integration feature, which is vulnerable to an unauthenticated blind Server-Side Request Forgery (SSRF) issue. This means that an attacker could potentially exploit this issue without authentication, allowing them to make unauthorized requests to internal systems. **Recommendations** For versions 11.5.8 and earlier, update to version 11.5.8 or later. For versions 11.6.x before 11.6.6, update to version 11.6.6 or later. For versions 11.7.x before 11.7.1, update to version 11.7.1 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab Community and Enterprise Edition versions 8.9 through 11.5.0-rc11 GitLab Community and Enterprise Edition versions 11.4.0 through 11.4.5 GitLab Community and Enterprise Edition versions 11.3.0 through 11.3.9 **Description** The issue is related to incorrect access control. There is no information provided about the estimated number of potentially affected devices worldwide or details about real-world incidents where this issue was exploited. **Recommendations** For GitLab Community and Enterprise Edition versions 8.9 through 11.5.0-rc11, update to version 11.5.0-rc12 or later. For GitLab Community and Enterprise Edition versions 11.4.0 through 11.4.5, update to version 11.4.6 or later. For GitLab Community and Enterprise Edition versions 11.3.0 through 11.3.9, update to version 11.3.10 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab Community and Enterprise Edition versions prior to 11.6.10 GitLab Community and Enterprise Edition versions 11.7.x prior to 11.7.6 GitLab Community and Enterprise Edition versions 11.8.x prior to 11.8.1 **Description** The issue is related to Insecure Permissions. **Recommendations** For versions prior to 11.6.10, update to version 11.6.10 or later. For versions 11.7.x prior to 11.7.6, update to version 11.7.6 or later. For versions 11.8.x prior to 11.8.1, update to version 11.8.1 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab Community Edition versions 11.0.0 through 11.1.8 GitLab Community Edition versions 11.2.0 through 11.2.5 GitLab Community Edition versions 11.3.0 through 11.3.2 **Description** An issue was discovered that leads to Information Exposure via the GFM markdown API. **Recommendations** For GitLab Community Edition versions 11.0.0 through 11.1.8, update to version 11.1.8 or later. For GitLab Community Edition versions 11.2.0 through 11.2.5, update to version 11.2.5 or later. For GitLab Community Edition versions 11.3.0 through 11.3.2, update to version 11.3.2 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab Community and Enterprise Edition versions 11.0.0 through 11.2.7 GitLab Community and Enterprise Edition versions 11.3.0 through 11.3.8 GitLab Community and Enterprise Edition versions 11.4.0 through 11.4.3 **Description** An issue in GitLab allows Information Exposure via a Gitlab Prometheus integration. **Recommendations** For GitLab Community and Enterprise Edition versions 11.0.0 through 11.2.7, update to version 11.2.7 or later. For GitLab Community and Enterprise Edition versions 11.3.0 through 11.3.8, update to version 11.3.8 or later. For GitLab Community and Enterprise Edition versions 11.4.0 through 11.4.3, update to version 11.4.3 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab Community and Enterprise Editions versions prior to 10.1.6 GitLab Community and Enterprise Editions versions prior to 10.2.6 GitLab Community and Enterprise Editions versions prior to 10.3.4 **Description** The issue is related to an authorization bypass in the GitLab import component. This allows an attacker to perform operations under a group where they were previously unauthorized. **Recommendations** For versions prior to 10.1.6, update to version 10.1.6 or later. For versions prior to 10.2.6, update to version 10.2.6 or later. For versions prior to 10.3.4, update to version 10.3.4 or later.

**Name of the Vulnerable Software and Affected Versions** Gitlab Community Edition version 10.3 **Description** The issue is related to a path traversal problem in the GitLab CI runner component, which results in remote code execution. **Recommendations** For Gitlab Community Edition version 10.3, update to a version that fixes the path traversal issue in the GitLab CI runner component to prevent remote code execution.

**Name of the Vulnerable Software and Affected Versions** GitLab versions 8.12.0 through 8.12.10 GitLab versions 8.13.0 through 8.13.7 GitLab versions 8.14.0 through 8.14.2 **Description** The issue exposes a dangerous method to any authenticated user, potentially leading to the deletion of all Issue and MergeRequest objects on a GitLab instance. For instances with publicly available projects, this could be exploited by an unauthenticated user. **Recommendations** For GitLab versions 8.12.0 through 8.12.10, update to version 8.12.11. For GitLab versions 8.13.0 through 8.13.7, update to version 8.13.8. For GitLab versions 8.14.0 through 8.14.2, update to version 8.14.3.