Ryhmnlfjon

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 9.3 through 16.0.7 GitLab CE/EE versions 16.1 through 16.1.2 GitLab CE/EE versions 16.2 through 16.2.1 **Description** An issue has been discovered in GitLab CE/EE, where a Regular Expression Denial of Service was possible via sending crafted payloads that use `ProjectReferenceFilter` to the "preview markdown" endpoint. **Recommendations** For versions 9.3 through 16.0.7, update to version 16.0.8 or later. For versions 16.1 through 16.1.2, update to version 16.1.3 or later. For versions 16.2 through 16.2.1, update to version 16.2.2 or later. As a temporary workaround, consider restricting access to the "preview markdown" endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 8.14 through 16.0.7 GitLab CE/EE versions 16.1 through 16.1.2 GitLab CE/EE versions 16.2 through 16.2.1 **Description** A Regular Expression Denial of Service issue was discovered, allowing attackers to send crafted payloads using AutolinkFilter to the "preview markdown" endpoint. This could potentially lead to a denial of service. **Recommendations** For versions 8.14 through 16.0.7, update to version 16.0.8 or later. For versions 16.1 through 16.1.2, update to version 16.1.3 or later. For versions 16.2 through 16.2.1, update to version 16.2.2 or later. As a temporary workaround, consider restricting access to the `preview markdown` endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 8.7 through 15.10.7 GitLab CE/EE versions 15.11 through 15.11.6 GitLab CE/EE versions 16.0 through 16.0.1 **Description** A Regular Expression Denial of Service issue was discovered, allowing attackers to send crafted payloads to the "preview markdown" endpoint. This could potentially lead to a denial of service. **Recommendations** For versions 8.7 through 15.10.7, update to version 15.10.8 or later. For versions 15.11 through 15.11.6, update to version 15.11.7 or later. For versions 16.0 through 16.0.1, update to version 16.0.2 or later. As a temporary workaround, consider restricting access to the "preview markdown" endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 12.0 through 15.10.7 GitLab CE/EE versions 15.11 through 15.11.6 GitLab CE/EE versions 16.0 through 16.0.1 **Description** A Regular Expression Denial of Service issue was discovered, allowing attackers to send crafted payloads to the "preview markdown" endpoint. **Recommendations** For versions 12.0 through 15.10.7, update to version 15.10.8 or later. For versions 15.11 through 15.11.6, update to version 15.11.7 or later. For versions 16.0 through 16.0.1, update to version 16.0.2 or later. As a temporary workaround, consider restricting access to the "preview markdown" endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 15.4 through 15.10.7 GitLab CE/EE versions 15.11 through 15.11.6 GitLab CE/EE versions 16.0 through 16.0.1 **Description** An issue has been discovered in GitLab CE/EE, where a DollarMathPostFilter Regular Expression Denial of Service is possible by sending crafted payloads to the "preview markdown" endpoint. **Recommendations** For versions 15.4 through 15.10.7, update to version 15.10.8 or later. For versions 15.11 through 15.11.6, update to version 15.11.7 or later. For versions 16.0 through 16.0.1, update to version 16.0.2 or later. As a temporary workaround, consider restricting access to the "preview markdown" endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Gitlab CE/EE versions 10.7 through 15.1.5 Gitlab CE/EE versions 15.2 through 15.2.3 Gitlab CE/EE versions 15.3 through 15.3.1 **Description** A potential DoS issue was discovered, allowing an attacker to trigger high CPU usage via a specially crafted input added in the `Commit message` field. This is due to insufficient input validation in the Commit message field, which can be exploited by a remote attacker to cause a denial of service. **Recommendations** For Gitlab CE/EE versions 10.7 through 15.1.5, update to version 15.1.5 or later. For Gitlab CE/EE versions 15.2 through 15.2.3, update to version 15.2.3 or later. For Gitlab CE/EE versions 15.3 through 15.3.1, update to version 15.3.1 or later. As a temporary workaround, consider restricting access to the Commit message field to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 8.3 through 14.7.6 GitLab CE/EE versions 14.8 through 14.8.4 GitLab CE/EE versions 14.9 through 14.9.1 **Description** The issue is related to improper handling of user input, allowing an attacker to exploit a stored XSS by abusing multi-word milestone references in issue descriptions, comments, etc. This can be done remotely and may lead to cross-site scripting attacks using specially crafted links. **Recommendations** For GitLab CE/EE versions 8.3 through 14.7.6, update to version 14.7.7 or later. For GitLab CE/EE versions 14.8 through 14.8.4, update to version 14.8.5 or later. For GitLab CE/EE versions 14.9 through 14.9.1, update to version 14.9.2 or later. As a temporary workaround, consider restricting the use of multi-word milestone references in issue descriptions and comments until a patch is available.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions prior to 11.11.6 GitLab CE/EE versions prior to 12.0.4 GitLab CE/EE versions prior to 12.1.2 **Description** An input validation and output encoding issue was discovered in the GitLab CE/EE wiki pages feature, which could result in a persistent XSS. **Recommendations** For versions prior to 11.11.6, update to version 11.11.6 or later. For versions prior to 12.0.4, update to version 12.0.4 or later. For versions prior to 12.1.2, update to version 12.1.2 or later.