Saltyyolk

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 13.9 and later Description: An issue has been discovered in GitLab CE/EE where a specially crafted import file could read files on the server. Recommendations: For GitLab CE/EE versions 13.9 and later, consider restricting the import functionality until a fix is available to prevent potential file reading on the server. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** rack versions prior to 2.2.0 **Description** A directory traversal issue exists in the Rack::Directory app, allowing an attacker to perform a directory traversal attack, which could result in information disclosure. The vulnerability is related to the `check forbidden` function in the `rack/directory.rb` module, which incorrectly restricts the directory path name. This could allow a remote attacker to access confidential data. **Recommendations** For versions prior to 2.2.0, update to version 2.2.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Rack::Directory app until a patch is available.

**Name of the Vulnerable Software and Affected Versions** GitLab EE versions 12.8 and later **Description** The issue allows exposure of sensitive information to an unauthorized actor via NuGet. **Recommendations** For GitLab EE versions 12.8 and later, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GitLab EE versions 11.7 through 12.9 **Description** The NPM feature in GitLab EE is affected by a path traversal issue. **Recommendations** For versions 11.7 through 12.9, update to a version that contains a fix for this issue to prevent path traversal exploitation.

**Name of the Vulnerable Software and Affected Versions** GitLab Community and Enterprise Edition versions prior to 10.7.7 GitLab Community and Enterprise Edition versions 10.8.x prior to 10.8.6 GitLab Community and Enterprise Edition versions 11.x prior to 11.0.4 **Description** The issue allows Directory Traversal with write access and resultant remote code execution via the GitLab projects import component. **Recommendations** For versions prior to 10.7.7, update to version 10.7.7 or later. For versions 10.8.x prior to 10.8.6, update to version 10.8.6 or later. For versions 11.x prior to 11.0.4, update to version 11.0.4 or later.