Js_Noob

**Name of the Vulnerable Software and Affected Versions** GitLab EE versions 11.2 through 17.1.6 GitLab EE versions 17.2 through 17.2.4 GitLab EE versions 17.3 through 17.3.1 **Description** An issue has been discovered in GitLab EE, allowing a guest to read the source code of a private project by using group templates. This issue results in unauthorized access to private projects. **Recommendations** For GitLab EE versions 11.2 through 17.1.6, upgrade to version 17.1.7 or later. For GitLab EE versions 17.2 through 17.2.4, upgrade to version 17.2.5 or later. For GitLab EE versions 17.3 through 17.3.1, upgrade to version 17.3.2 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 17.0 through 17.0.3 GitLab CE/EE versions 17.1 through 17.1.1 **Description** The issue is related to insufficient access control in the `admin compliance framework` function of the Group Namespace URL Handler component in GitLab. This could allow a remote attacker to modify the URL for a group namespace. The vulnerability affects Developer users with the `admin compliance framework` custom role. **Recommendations** For GitLab CE/EE versions 17.0 through 17.0.3, update to version 17.0.4 or later to resolve the issue. For GitLab CE/EE versions 17.1 through 17.1.1, update to version 17.1.2 or later to resolve the issue. As a temporary workaround, consider restricting the `admin compliance framework` custom role for Developer users until a patch is applied.

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 16.10 through 16.11.5 GitLab CE/EE versions 17.0 through 17.0.3 GitLab CE/EE versions 17.1 through 17.1.1 Description: The issue is related to insufficient access control in the implementation of the GitLab platform's application programming interface for collaborative code work. This can allow a remote attacker to gain read, modify, or delete access to data. Specifically, a project maintainer can delete the merge request approval policy via `graphQL`. Recommendations: For versions 16.10 through 16.11.5, update to version 16.11.5 or later. For versions 17.0 through 17.0.3, update to version 17.0.3 or later. For versions 17.1 through 17.1.1, update to version 17.1.1 or later. As a temporary workaround, consider restricting access to the `graphQL` endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GitLab EE/CE versions 11.4 through 17.2.8 GitLab EE/CE versions 17.3 through 17.3.4 GitLab EE/CE versions 17.4 through 17.4.1 **Description** The issue is related to errors in the representation of given functions in the GitLab platform, allowing a remote attacker to gain unauthorized access to protected information. Specifically, it was possible for guest users to disclose project templates using the API. **Recommendations** For GitLab EE/CE versions 11.4 through 17.2.8, update to version 17.2.9 or later. For GitLab EE/CE versions 17.3 through 17.3.4, update to version 17.3.5 or later. For GitLab EE/CE versions 17.4 through 17.4.1, update to version 17.4.2 or later. As a temporary workaround, consider restricting access to the API for guest users until a patch is available.

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 16.7 through 16.11.5 GitLab CE/EE versions 17.0 through 17.0.3 GitLab CE/EE versions 17.1 through 17.1.1 Description: An issue in GitLab CE/EE allows private job artifacts to be accessed by any user due to improper authorization. This can enable a remote attacker to gain unauthorized access to protected information. Recommendations: For GitLab CE/EE versions 16.7 through 16.11.5, update to version 16.11.5 or later to resolve the issue. For GitLab CE/EE versions 17.0 through 17.0.3, update to version 17.0.3 or later to resolve the issue. For GitLab CE/EE versions 17.1 through 17.1.1, update to version 17.1.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** GitLab EE versions 16.4 through 16.6.7 GitLab EE versions 16.7 through 16.7.5 GitLab EE versions 16.8 through 16.8.2 **Description** The issue allows a maintainer to change the name of a protected branch, bypassing the security policy added to block merge requests. This is related to insufficient access control in the GitLab platform. An attacker could exploit this to remotely bypass existing security restrictions. **Recommendations** For GitLab EE versions 16.4 through 16.6.7, update to version 16.6.7 or later. For GitLab EE versions 16.7 through 16.7.5, update to version 16.7.5 or later. For GitLab EE versions 16.8 through 16.8.2, update to version 16.8.2 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab EE versions 8.17 through 16.4.3 GitLab EE versions 16.5 through 16.5.3 GitLab EE versions 16.6 through 16.6.1 **Description** An issue has been discovered in GitLab EE, where auditor users could fork and submit merge requests to private projects they are not a member of. **Recommendations** For versions 8.17 through 16.4.3, update to version 16.4.4 or later. For versions 16.5 through 16.5.3, update to version 16.5.4 or later. For versions 16.6 through 16.6.1, update to version 16.6.2 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab versions 13.2 through 16.4.2 GitLab versions 16.5 through 16.5.2 GitLab versions 16.6 through 16.6.0 **Description** An issue has been discovered in GitLab, allowing users to access composer packages on public projects that have package registry disabled in the project settings. **Recommendations** For GitLab versions 13.2 through 16.4.2, update to version 16.4.3 or later. For GitLab versions 16.5 through 16.5.2, update to version 16.5.3 or later. For GitLab versions 16.6 through 16.6.0, update to version 16.6.1 or later.

**Name of the Vulnerable Software and Affected Versions** Gitlab EE and CE versions prior to 16.2.8 Gitlab EE and CE version 16.3 prior to 16.3.5 Gitlab EE and CE version 16.4 prior to 16.4.1 **Description** The issue allows an attacker to cause pipelines to fail, resulting in a Denial of Service. This affects all versions of Gitlab EE and CE prior to the specified versions. **Recommendations** For Gitlab EE and CE versions prior to 16.2.8, update to version 16.2.8 or later. For Gitlab EE and CE version 16.3 prior to 16.3.5, update to version 16.3.5 or later. For Gitlab EE and CE version 16.4 prior to 16.4.1, update to version 16.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 11.8 through 16.2.7 GitLab CE/EE versions 16.3 through 16.3.4 GitLab CE/EE versions 16.4 through 16.4.0 **Description** An improper authorization issue has been discovered in GitLab CE/EE. It allows a project reporter to leak the owner's Sentry instance projects. **Recommendations** For versions 11.8 through 16.2.7, update to version 16.2.8 or later. For versions 16.3 through 16.3.4, update to version 16.3.5 or later. For versions 16.4 through 16.4.0, update to version 16.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions prior to 16.0.8 GitLab CE/EE versions 16.1 prior to 16.1.3 GitLab CE/EE versions 16.2 prior to 16.2.2 **Description** An issue has been discovered in GitLab CE/EE, which allows developers to create pipeline schedules on protected branches even if they don't have access to merge. **Recommendations** For versions prior to 16.0.8, update to version 16.0.8 or later. For versions 16.1 prior to 16.1.3, update to version 16.1.3 or later. For versions 16.2 prior to 16.2.2, update to version 16.2.2 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab EE versions 12.0 through 15.10.4 GitLab EE versions 15.11.0 **Description** An issue has been discovered in GitLab EE where a malicious group member may continue to commit to projects even from a restricted IP address. **Recommendations** For GitLab EE versions 12.0 through 15.10.4, update to version 15.10.5 or later. For GitLab EE version 15.11.0, update to version 15.11.1 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab versions 10.0 through 12.9.7 GitLab versions 12.10 through 12.10.6 GitLab versions 13.0 through 13.0.0 **Description** An issue has been discovered in GitLab where a user with the role of developer could use the import project feature to leak CI/CD variables. **Recommendations** For GitLab versions 10.0 through 12.9.7, update to version 12.9.8 or later. For GitLab versions 12.10 through 12.10.6, update to version 12.10.7 or later. For GitLab versions 13.0 through 13.0.0, update to version 13.0.1 or later.