Thelucion

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 16.8 through 18.4.9 **Description** A security issue exists in GitLab CE/EE that may allow unauthorized modification of merge request approval rules under specific circumstances. The issue affects the processing of approval rules within merge requests. **Recommendations** Update GitLab CE/EE to version 18.5.0 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab EE versions 8.13 through 16.4.2 GitLab EE versions 16.5 through 16.5.2 GitLab EE versions 16.6 through 16.6.0 **Description** An issue has been discovered in GitLab EE, where it was possible for an attacker to abuse the `Allowed to merge` permission as a guest user, when granted the permission through a group. **Recommendations** For versions 8.13 through 16.4.2, update to version 16.4.3 or later. For versions 16.5 through 16.5.2, update to version 16.5.3 or later. For versions 16.6 through 16.6.0, update to version 16.6.1 or later. As a temporary workaround, consider restricting the `Allowed to merge` permission for guest users in groups until a patch is available.

**Name of the Vulnerable Software and Affected Versions** GitLab EE versions 11.6 through 16.3.5 GitLab EE versions 16.4 through 16.4.1 GitLab EE versions 16.5 through 16.5.0 **Description** An issue has been discovered in GitLab EE, where it was possible for an unauthorized project or group member to read the CI/CD variables using the custom project templates. **Recommendations** For versions 11.6 through 16.3.5, update to version 16.3.6 or later. For versions 16.4 through 16.4.1, update to version 16.4.2 or later. For versions 16.5 through 16.5.0, update to version 16.5.1 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab versions prior to 16.2.7 GitLab versions 16.3 through 16.3.5 GitLab versions 16.4 through 16.4.1 **Description** An issue has been discovered in GitLab where a removed project member could write to protected branches using deploy keys. **Recommendations** For versions prior to 16.2.7, update to version 16.2.7 or later. For versions 16.3 through 16.3.4, update to version 16.3.5 or later. For versions 16.4 through 16.4.0, update to version 16.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab versions 11.2 through 16.2.8 GitLab versions 16.3 through 16.3.5 GitLab versions 16.4 through 16.4.1 **Description** An issue has been discovered in GitLab where a maintainer could create a fork relationship between existing projects contrary to the documentation. **Recommendations** For versions 11.2 through 16.2.8, update to version 16.2.8 or later. For versions 16.3 through 16.3.5, update to version 16.3.5 or later. For versions 16.4 through 16.4.1, update to version 16.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab EE versions 11.11 through 16.2.7 GitLab EE versions 16.3 through 16.3.4 GitLab EE versions 16.4 through 16.4.0 **Description** An issue has been discovered in GitLab EE where Single Sign On restrictions were not correctly enforced for indirect project members accessing public members-only project repositories. **Recommendations** For GitLab EE versions 11.11 through 16.2.7, update to version 16.2.8 or later. For GitLab EE versions 16.3 through 16.3.4, update to version 16.3.5 or later. For GitLab EE versions 16.4 through 16.4.0, update to version 16.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab versions 10.6 through 16.2.8 GitLab versions 16.3 through 16.3.5 GitLab versions 16.4 through 16.4.1 **Description** An issue has been discovered in GitLab where upstream members collaborating on a branch could get permission to write to the merge request's source branch. **Recommendations** For GitLab versions 10.6 through 16.2.8, update to version 16.2.8 or later. For GitLab versions 16.3 through 16.3.5, update to version 16.3.5 or later. For GitLab versions 16.4 through 16.4.1, update to version 16.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 15.1 through 15.11.9 GitLab CE/EE versions 16.0 through 16.0.5 GitLab CE/EE versions 16.1 through 16.1.0 **Description** An issue has been discovered that allows a maintainer to modify a webhook URL and leak masked webhook secrets by manipulating other masked portions. This issue is related to an incomplete fix. **Recommendations** For GitLab CE/EE versions 15.1 through 15.11.9, update to version 15.11.10 or later. For GitLab CE/EE versions 16.0 through 16.0.5, update to version 16.0.6 or later. For GitLab CE/EE versions 16.1 through 16.1.0, update to version 16.1.1 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab versions prior to 16.7.6 GitLab versions 16.8 through 16.8.2 GitLab versions 16.9 through 16.9.0 **Description** An issue has been discovered in GitLab that allows group members with a sub-maintainer role to change the title of privately accessible deploy keys associated with projects in the group. This issue is related to inadequate management of SSH keys during deployment script automation. Exploitation of this issue may allow a remote attacker to modify the title of private deploy keys. **Recommendations** For GitLab versions prior to 16.7.6, update to version 16.7.6 or later. For GitLab versions 16.8 through 16.8.2, update to version 16.8.3 or later. For GitLab versions 16.9 through 16.9.0, update to version 16.9.1 or later. As a temporary workaround, consider restricting the sub-maintainer role's access to deploy keys until a patch is available.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 14.1 through 15.10.7 GitLab CE/EE versions 15.11 through 15.11.6 GitLab CE/EE versions 16.0 through 16.0.1 **Description** A malicious maintainer in a project can escalate other users to Owners in that project if they import members from another project that those other users are Owners of. **Recommendations** For versions 14.1 through 15.10.7, update to version 15.10.8 or later. For versions 15.11 through 15.11.6, update to version 15.11.7 or later. For versions 16.0 through 16.0.1, update to version 16.0.2 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 10.1 through 15.10.7 GitLab CE/EE versions 15.11 through 15.11.6 GitLab CE/EE versions 16.0 through 16.0.1 **Description** An issue has been discovered in GitLab CE/EE where a user could use an unverified email as a public email and commit email by sending a specifically crafted request on user update settings. **Recommendations** For versions 10.1 through 15.10.7, update to version 15.10.8 or later. For versions 15.11 through 15.11.6, update to version 15.11.7 or later. For versions 16.0 through 16.0.1, update to version 16.0.2 or later.