Hakeem Abdul-Razak

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 16.4 through 17.5.5 GitLab CE/EE versions 17.6 through 17.6.3 GitLab CE/EE versions 17.7 through 17.7.1 **Description** The issue is related to the incorrect management of user actions in GitLab CE/EE, which can allow a remote attacker to gain unauthorized access to protected information. When a user is created via the SAML provider, the external groups setting overrides the external provider configuration, potentially giving users access to internal projects or groups. **Recommendations** For GitLab CE/EE versions 16.4 through 17.5.5, update to version 17.5.5 or later to resolve the issue. For GitLab CE/EE versions 17.6 through 17.6.3, update to version 17.6.3 or later to resolve the issue. For GitLab CE/EE versions 17.7 through 17.7.1, update to version 17.7.1 or later to resolve the issue. As a temporary workaround, consider restricting access to internal projects or groups for users created via the SAML provider until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 17.4 through 17.5.5 GitLab CE/EE versions 17.6 through 17.6.3 GitLab CE/EE versions 17.7 through 17.7.1 **Description** An issue was discovered in GitLab CE/EE where access tokens may have been logged when API requests were made in a specific manner under certain conditions. **Recommendations** For versions 17.4 through 17.5.5, update to version 17.5.5 or later. For versions 17.6 through 17.6.3, update to version 17.6.3 or later. For versions 17.7 through 17.7.1, update to version 17.7.1 or later.