Luke Duncalfe

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 16.7 through 16.9.5 GitLab CE/EE versions 16.10 through 16.10.3 GitLab CE/EE versions 16.11 through 16.11.0 Description: The issue is related to the GraphQL Subscription Handler component of the GitLab platform, which lacks protection of internal data. This can allow a remote attacker to gain unauthorized access to confidential information. The problem arises because personal access scopes are not honored by GraphQL subscriptions, potentially leading to data exposure. Recommendations: For GitLab CE/EE versions 16.7 through 16.9.5, update to version 16.9.6 or later. For GitLab CE/EE versions 16.10 through 16.10.3, update to version 16.10.4 or later. For GitLab CE/EE versions 16.11 through 16.11.0, update to version 16.11.1 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 15.4 through 17.0.4 GitLab CE/EE versions 17.1 through 17.1.2 GitLab CE/EE versions 17.2 through 17.2.0 **Description** The issue is related to an information disclosure vulnerability in the project/group exports component of GitLab. This vulnerability is caused by weaknesses in the authorization procedure, allowing a remote attacker to gain unauthorized access to protected information. The vulnerability enables unauthorized users to view the resultant export. **Recommendations** For GitLab CE/EE versions 15.4 through 17.0.4, update to version 17.0.5 or later. For GitLab CE/EE versions 17.1 through 17.1.2, update to version 17.1.3 or later. For GitLab CE/EE versions 17.2 through 17.2.0, update to version 17.2.1 or later.