CVE-2023-5117

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions prior to 17.6.0

Description The issue is related to insufficient protection of service data when adding non-image attachments, resulting in a lack of authentication procedure. This allows a remote attacker to bypass security restrictions and gain unauthorized access to protected information. Specifically, files uploaded to comments on confidential issues and epics of public projects could be accessed without authentication via a direct link to the uploaded file URL.

Recommendations For versions prior to 17.6.0, update to version 17.6.0 or later to resolve the issue. As a temporary workaround, consider restricting access to uploaded files in comments on confidential issues and epics of public projects until the update is applied. Avoid sharing direct links to uploaded files to minimize the risk of exploitation.