Xanbanx

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 10.6 and later **Description** The issue allows a project export to leak the external webhook token value, potentially granting access to the project it was exported from. **Recommendations** For GitLab CE/EE versions 10.6 and later, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GitLab versions prior to 13.1 **Description** A vulnerability was discovered that allows the restriction for Github project import to be bypassed under certain conditions. **Recommendations** For versions prior to 13.1, update to version 13.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 10.3 through 13.0.1 **Description** The issue allows other group maintainers to view Kubernetes cluster tokens, potentially leading to unauthorized access. **Recommendations** For GitLab CE/EE versions 10.3 through 13.0.1, update to a version later than 13.0.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 12.8 through 13.0.1 **Description** A Stored Cross-Site Scripting issue allowed the execution of Javascript payloads on the Metrics Dashboard. **Recommendations** For GitLab CE/EE versions 12.8 through 13.0.1, update to a version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** GitLab EE/CE versions 8.17 to 12.9 **Description** The issue concerns information leakage when querying a merge request widget. **Recommendations** For GitLab EE/CE versions 8.17 to 12.9, update to a version that contains a fix for this issue to prevent information leakage.

**Name of the Vulnerable Software and Affected Versions** GitLab EE/CE versions 11.10 through 12.9 **Description** The issue is related to the leaking of information on restricted CI pipelines metrics to unauthorized users. **Recommendations** For GitLab EE/CE versions 11.10 through 12.9, update to a version that contains a fix for this issue to prevent information leakage.

**Name of the Vulnerable Software and Affected Versions** GitLab versions 12.1 through 12.8.1 **Description** A cross-site scripting issue was found in a specific view related to the Grafana integration, allowing for potential exploitation. **Recommendations** For versions 12.1 through 12.8.1, update to a version that contains a fix for this issue to prevent potential cross-site scripting exploitation.

**Name of the Vulnerable Software and Affected Versions** GitLab versions 12.3.5 through 12.8.1 **Description** The issue allows information disclosure. A particular view was exposing merge private merge request titles. **Recommendations** For GitLab versions 12.3.5 through 12.8.1, update to a version that contains a fix for this issue to prevent information disclosure. As a temporary workaround, consider restricting access to the view that exposes merge private merge request titles until a patch is available.

Name of the Vulnerable Software and Affected Versions: GitLab Community and Enterprise Edition versions 9.0 through 12.0.2 Description: An issue was discovered that allows users with access to issues, but not the repository, to view the number of related merge requests on an issue. This is due to incorrect access control. Recommendations: For GitLab Community and Enterprise Edition versions 9.0 through 12.0.2, update to a version that contains a fix for this issue to prevent unauthorized access to related merge requests. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: GitLab Enterprise Edition and Community Edition versions 1.10 through 12.0.2 Description: An issue was discovered in the GitLab graphql service, which was vulnerable to multiple authorization issues. These issues disclosed restricted user, group, and repository metadata to unauthorized users due to Incorrect Access Control. Recommendations: For versions 1.10 through 12.0.2, update to a version that includes the fix for the authorization issues in the GitLab graphql service to prevent disclosure of restricted metadata to unauthorized users.

Name of the Vulnerable Software and Affected Versions: GitLab Community and Enterprise Edition versions 11.10 through 12.0.2 Description: An issue was discovered that allows unauthorized users to read pipeline information of the last merge request due to Incorrect Access Control. Recommendations: For GitLab Community and Enterprise Edition versions 11.10 through 12.0.2, update to a version that contains a fix for this issue to prevent unauthorized access to pipeline information. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: GitLab Community and Enterprise Edition versions 8.13 through 11.11 Description: An issue was discovered that allows restricted users to access the metadata of private milestones through the Search API, which is an example of Improper Access Control. Recommendations: For GitLab Community and Enterprise Edition versions 8.13 through 11.11, consider restricting access to the Search API until a patch is available. As a temporary workaround, limit the visibility of private milestones to prevent unauthorized access. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GitLab versions 10.7 through 12.7.2 **Description** The issue is related to incorrect access control. There is no information provided about the estimated number of potentially affected devices worldwide or details about real-world incidents where this issue was exploited. **Recommendations** For GitLab versions 10.7 through 12.7.2, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GitLab EE versions 8.0 through 12.7.2 **Description** The issue allows information disclosure. **Recommendations** For GitLab EE versions 8.0 through 12.7.2, update to a version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** GitLab EE versions 12.4 through 12.7.2 **Description** The issue is related to incorrect access control. There is no information provided about the estimated number of potentially affected devices worldwide or details about real-world incidents where this issue was exploited. **Recommendations** For GitLab EE versions 12.4 through 12.7.2, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GitLab Community Edition (CE) and Enterprise Edition (EE) version 12.6 **Description** An issue was discovered in GitLab, related to Incorrect Access Control. **Recommendations** For GitLab Community Edition (CE) and Enterprise Edition (EE) version 12.6, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** GitLab EE versions 8.4 through 12.5 GitLab EE version 12.4.3 GitLab EE version 12.3.6 **Description** The issue concerns the storage of several tokens in plaintext. **Recommendations** For GitLab EE versions 8.4 through 12.5, update to a version that does not store tokens in plaintext. For GitLab EE version 12.4.3, update to a version that does not store tokens in plaintext. For GitLab EE version 12.3.6, update to a version that does not store tokens in plaintext.

Name of the Vulnerable Software and Affected Versions: GitLab Community and Enterprise Edition versions prior to 11.4.13 GitLab Community and Enterprise Edition versions 11.5.x prior to 11.5.6 GitLab Community and Enterprise Edition versions 11.6.x prior to 11.6.1 Description: The issue is related to Incorrect Access Control. Recommendations: For versions prior to 11.4.13, update to version 11.4.13 or later. For versions 11.5.x prior to 11.5.6, update to version 11.5.6 or later. For versions 11.6.x prior to 11.6.1, update to version 11.6.1 or later.

**Name of the Vulnerable Software and Affected Versions** gitlab versions prior to 12.3.2 gitlab versions prior to 12.2.6 gitlab versions prior to 12.1.10 **Description** An information exposure issue exists when using the blocking merge request feature. It allows an unauthenticated user to see the head pipeline data of a public project, even though pipeline visibility was restricted. **Recommendations** For versions prior to 12.3.2, update to version 12.3.2 or later to resolve the issue. For versions prior to 12.2.6, update to version 12.2.6 or later to resolve the issue. For versions prior to 12.1.10, update to version 12.1.10 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** GitLab versions prior to 12.3.3 **Description** An issue exists that allows an attacker to bypass access controls and obtain container and dependency scanning reports through the merge request widget, even when public pipelines are disabled. **Recommendations** For versions prior to 12.3.3, update to version 12.3.3 or later to resolve the issue.