Executor

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 7.7 and later Description: The application may allow a malicious user to create an OAuth client application with arbitrary scope names, potentially tricking unsuspecting users into authorizing the malicious client application using the spoofed scope name and description. Recommendations: For GitLab CE/EE versions 7.7 and later, consider restricting the ability to create OAuth client applications with arbitrary scope names until a patch is available. As a temporary workaround, monitor OAuth client application creations and authorization requests to detect potential malicious activity.

Name of the Vulnerable Software and Affected Versions: GitLab Community and Enterprise Edition versions 11.9 through 12.0.2 Description: An issue was discovered that allows unauthorized users to add comments to a private snippet due to an authorization issue in GitLab Snippets. This issue also allows authentication bypass. Recommendations: For GitLab Community and Enterprise Edition versions 11.9 through 12.0.2, consider restricting access to private snippets until a fix is available. As a temporary workaround, consider disabling the commenting feature on private snippets to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.