CVE-2018-17455

Name of the Vulnerable Software and Affected Versions GitLab Enterprise Edition versions 11.1.7 and earlier, 11.2.x before 11.2.4, 11.3.x before 11.3.1

Description An issue was discovered related to the "merge request approvals" feature, where attackers could obtain sensitive information about group names, avatars, LDAP settings, and descriptions via an insecure direct object reference. This could allow a remote attacker to gain unauthorized access to protected information.

Recommendations For versions 11.1.7 and earlier, update to version 11.1.7 or later. For versions 11.2.x before 11.2.4, update to version 11.2.4 or later. For versions 11.3.x before 11.3.1, update to version 11.3.1 or later. As a temporary workaround, consider restricting access to the "merge request approvals" feature until a patch is available.