Greg Myers

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 17.0 through 17.6.3 GitLab CE/EE versions 17.7 through 17.7.2 GitLab CE/EE versions 17.8 through 17.8.0 **Description** An issue has been discovered in GitLab CE/EE that affects users with a developer role, allowing them to potentially exfiltrate protected CI variables via CI lint under certain conditions. This could enable attackers to access sensitive information. **Recommendations** For GitLab CE/EE versions 17.0 through 17.6.3, update to version 17.6.4 or later to resolve the issue. For GitLab CE/EE versions 17.7 through 17.7.2, update to version 17.7.3 or later to resolve the issue. For GitLab CE/EE versions 17.8 through 17.8.0, update to version 17.8.1 or later to resolve the issue. As a temporary workaround, consider restricting access to CI lint for users with developer roles until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** GitLab EE versions 13.11 through 15.5.6 GitLab EE versions 15.6 through 15.6.3 GitLab EE versions 15.7 through 15.7.1 **Description** The issue is related to an incorrect authorization check, allowing group access tokens to remain active even after the group owner loses the ability to revoke them. **Recommendations** For GitLab EE versions 13.11 through 15.5.6, update to version 15.5.7 or later. For GitLab EE versions 15.6 through 15.6.3, update to version 15.6.4 or later. For GitLab EE versions 15.7 through 15.7.1, update to version 15.7.2 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 12.8 and later **Description** An issue has been discovered affecting GitLab CE/EE, where under a special condition, it was possible to access data of an internal repository through a project fork done by a project member. The issue is related to insufficient access restrictions to a forked project, allowing a remote attacker to gain access to confidential data. **Recommendations** For GitLab CE/EE versions 12.8 and later, consider restricting access to project forks to minimize the risk of exploitation until a patch is available. As a temporary workaround, limit the permissions of project members to prevent unauthorized access to internal repository data.