Nyangawa

**Name of the Vulnerable Software and Affected Versions** GitLab versions prior to 12.10.13 **Description** The issue is related to a stored XSS in the import Bitbucket project feature. **Recommendations** For versions prior to 12.10.13, update to version 12.10.13 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** GitLab versions 10.4 through 12.8.1 **Description** The issue allows Directory Traversal, which leads to arbitrary file read. A particular endpoint was vulnerable to a directory traversal vulnerability. **Recommendations** For GitLab versions 10.4 through 12.8.1, update to a version that contains a fix for this issue to prevent arbitrary file read. As a temporary workaround, consider restricting access to the vulnerable endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: GitLab Community and Enterprise Edition versions 8.4 through 11.11 Description: An issue allows a malicious user to execute JavaScript code on notes by importing a specially crafted project file, enabling cross-site scripting (XSS). Recommendations: For GitLab Community and Enterprise Edition versions 8.4 through 11.11, update to a version that contains a fix for this issue to prevent malicious users from executing JavaScript code on notes.

Name of the Vulnerable Software and Affected Versions: GitLab Community and Enterprise Edition version 11.11 Description: An issue allows an authenticated malicious user to execute commands remotely through the repository download feature, enabling Command Injection. This is possible with a specially crafted payload. Recommendations: For GitLab Community and Enterprise Edition version 11.11, update to a version that includes a fix for this issue to prevent command injection attacks. As a temporary workaround, consider restricting access to the repository download feature to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: GitLab Community and Enterprise Edition versions 8.4 through 11.11 Description: The protected branches feature in GitLab contained an access control issue, resulting in a bypass of the protected branches restriction rules. This issue is related to incorrect access control. Recommendations: For GitLab Community and Enterprise Edition versions 8.4 through 11.11, consider restricting access to the protected branches feature until a fix is available. As a temporary workaround, review and enforce manual access controls to minimize the risk of unauthorized branch modifications. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: GitLab Community and Enterprise Edition versions 10.2 through 11.11 Description: An issue was discovered in multiple features, causing Server-Side Request Forgery (SSRF) vulnerabilities due to insufficient validation to prevent DNS rebinding attacks. Recommendations: For GitLab Community and Enterprise Edition versions 10.2 through 11.11, update to a version that includes the fix for the SSRF vulnerability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GitLab EE versions 11.11 through 12.7.2 **Description** The issue allows Directory Traversal. There is no information about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** For GitLab EE versions 11.11 through 12.7.2, update to a version later than 12.7.2 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** GitLab Enterprise Edition versions 8.9.0 through 12.6.1 **Description** An issue was discovered that allows someone to obtain issues from private projects using the project import feature. **Recommendations** For GitLab Enterprise Edition versions 8.9.0 through 12.6.1, consider restricting access to the project import feature until a fix is available.

**Name of the Vulnerable Software and Affected Versions** GitLab EE versions 11.3 through 12.5.3 GitLab EE version 12.4.5 GitLab EE version 12.3.8 **Description** The issue is related to insufficient parameter sanitization for the Maven package registry, which could lead to privilege escalation and remote code execution under certain conditions. **Recommendations** For GitLab EE versions 11.3 through 12.5.3, update to a version that includes the necessary security patches to address the insufficient parameter sanitization issue. For GitLab EE version 12.4.5, apply the recommended security fixes to prevent privilege escalation and remote code execution. For GitLab EE version 12.3.8, consider restricting access to the Maven package registry until a patch is available to mitigate the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Gitlab Enterprise Edition (EE) versions 11.3 through 12.4.2 **Description** The issue allows Directory Traversal. There is no information about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** For Gitlab Enterprise Edition (EE) versions 11.3 through 12.4.2, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 8.18 up to 11.3.10 GitLab CE/EE versions 11.4 up to 11.4.7 GitLab CE/EE versions 11.5 up to 11.5.0 **Description** The issue is related to a Server-Side Request Forgery (SSRF) vulnerability in webhooks. This means an attacker could potentially forge requests to internal services, leading to unauthorized access or actions. **Recommendations** For versions 8.18 up to 11.3.10, update to version 11.3.11 or later. For versions 11.4 up to 11.4.7, update to version 11.4.8 or later. For versions 11.5 up to 11.5.0, update to version 11.5.1 or later.

Name of the Vulnerable Software and Affected Versions: GitLab Community and Enterprise Edition versions 11.0.0 through 11.3.12 GitLab Community and Enterprise Edition versions 11.4.0 through 11.4.10 GitLab Community and Enterprise Edition versions 11.5.0 through 11.5.3 Description: The issue is related to Incorrect Access Control. Recommendations: For GitLab Community and Enterprise Edition versions 11.0.0 through 11.3.12, update to version 11.3.13 or later. For GitLab Community and Enterprise Edition versions 11.4.0 through 11.4.10, update to version 11.4.11 or later. For GitLab Community and Enterprise Edition versions 11.5.0 through 11.5.3, update to version 11.5.4 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 11.3.x through 11.3.11 GitLab CE/EE versions 11.4.x through 11.4.9 GitLab CE/EE versions 11.5.x through 11.5.2 **Description** The issue allows Directory Traversal in Templates API. **Recommendations** For GitLab CE/EE versions 11.3.x through 11.3.11, update to version 11.3.12 or later. For GitLab CE/EE versions 11.4.x through 11.4.9, update to version 11.4.10 or later. For GitLab CE/EE versions 11.5.x through 11.5.2, update to version 11.5.3 or later.