Justas_Bon

**Name of the Vulnerable Software and Affected Versions** GitLab EE versions prior to 15.0.5 GitLab EE versions 15.1 through 15.1.4 GitLab EE versions 15.2 through 15.2.1 **Description** An issue has been discovered in GitLab EE where email invited members may be able to join a project even after the Group Owner has enabled the setting to prevent members from being added to projects in a group, if the invite was sent before the setting was enabled. **Recommendations** For versions prior to 15.0.5, update to version 15.0.5 or later. For versions 15.1 through 15.1.4, update to version 15.1.4 or later. For versions 15.2 through 15.2.1, update to version 15.2.1 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 8.12 through 14.8.5 GitLab CE/EE versions 14.9.0 through 14.9.3 GitLab CE/EE version 14.10.0 **Description** The issue is related to improper input validation, allowing a Developer to read protected Group or Project CI/CD variables by importing a malicious project. **Recommendations** For GitLab CE/EE versions 8.12 through 14.8.5, update to version 14.8.6 or later. For GitLab CE/EE versions 14.9.0 through 14.9.3, update to version 14.9.4 or later. For GitLab CE/EE version 14.10.0, update to a version that contains the fix for this issue.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 11.0 through 14.3.6 GitLab CE/EE versions 14.4 through 14.4.4 GitLab CE/EE versions 14.5 through 14.5.2 **Description** A permissions validation flaw in GitLab CE/EE allowed group members with a developer role to elevate their privilege to a maintainer on projects they import. This issue is related to a flaw in the validation of permissions. **Recommendations** For versions 11.0 through 14.3.6, update to version 14.3.6 or later to resolve the issue. For versions 14.4 through 14.4.4, update to version 14.4.4 or later to resolve the issue. For versions 14.5 through 14.5.2, update to version 14.5.2 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 8.0 and later Description: The issue allows an attacker to set pipeline schedules to be active in a project export. When an unsuspecting owner imports that project, pipelines are active by default, potentially leading to information disclosure if the project is imported from an untrusted source. Recommendations: For GitLab CE/EE versions 8.0 and later, consider disabling pipeline schedules by default for imported projects to minimize the risk of information disclosure. As a temporary workaround, restrict the ability to import projects from untrusted sources until a more permanent solution is available.