Jimenoon

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 13.7 through 15.0.4 GitLab CE/EE versions 15.1 through 15.1.3 GitLab CE/EE versions 15.2 through 15.2.0 **Description** The issue is related to an improper access control check, allowing a malicious authenticated user to view a public project's Deploy Key's public fingerprint and name when that key has write permission. It is noted that the private key is neither asked for nor stored by GitLab. **Recommendations** For GitLab CE/EE versions 13.7 through 15.0.4, update to version 15.0.5 or later. For GitLab CE/EE versions 15.1 through 15.1.3, update to version 15.1.4 or later. For GitLab CE/EE versions 15.2 through 15.2.0, update to version 15.2.1 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions prior to 14.8.6 GitLab CE/EE versions 14.9.0 through 14.9.4 GitLab CE/EE version 14.10.0 **Description** An improper authorization issue has been discovered, allowing Guest project members to access the trace log of jobs when it is enabled. **Recommendations** For versions prior to 14.8.6, update to version 14.8.6 or later. For versions 14.9.0 through 14.9.3, update to version 14.9.4 or later. For version 14.10.0, update to a version later than 14.10.0.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 12.1 through 14.7.7 GitLab CE/EE versions 14.8 through 14.8.5 GitLab CE/EE versions 14.9 through 14.9.2 **Description** A blind SSRF attack was possible through the repository mirroring feature. **Recommendations** For versions 12.1 through 14.7.7, update to version 14.7.7 or later. For versions 14.8 through 14.8.5, update to version 14.8.5 or later. For versions 14.9 through 14.9.2, update to version 14.9.2 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 13.1 through 14.2.6 GitLab CE/EE versions 14.3 through 14.3.4 GitLab CE/EE versions 14.4 through 14.4.1 **Description** The issue is related to an Improper Access Control vulnerability in the GraphQL API. This vulnerability allows a Merge Request creator to resolve discussions and apply suggestions after a project owner has locked the Merge Request. **Recommendations** For GitLab CE/EE versions 13.1 through 14.2.6, update to version 14.2.6 or later. For GitLab CE/EE versions 14.3 through 14.3.4, update to version 14.3.4 or later. For GitLab CE/EE versions 14.4 through 14.4.1, update to version 14.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab EE versions 12.2 and later **Description** A verbose error message in GitLab EE could disclose the private email address of a user invited to a group. This issue affects all versions since 12.2 and allows a remote attacker to access confidential data. **Recommendations** For GitLab EE versions 12.2 and later, update to a version that includes a fix for this issue to prevent the disclosure of private email addresses. As a temporary workaround, consider restricting error message visibility to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 13.3 and later **Description** The issue is related to improper authorization in GitLab, allowing users to view and delete impersonation tokens created by administrators for their account. This can be exploited by a remote attacker to access and compromise confidential data. **Recommendations** For GitLab CE/EE versions 13.3 and later, update to a version that includes a fix for this issue to prevent users from viewing and deleting impersonation tokens that administrators created for their account. At the moment, there is no information about a newer version that contains a fix for this vulnerability.