Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN799
_____________________________________________________________________

DATE                : 14/11/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running GitLab versions prior
                          to 18.5.2, 18.4.4, 18.3.6.

=====================================================================
https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/
_____________________________________________________________________


 GitLab Patch Release: 18.5.2, 18.4.4, 18.3.6

Learn more about GitLab Patch Release: 18.5.2, 18.4.4, 18.3.6 for
GitLab Community Edition (CE) and Enterprise Edition (EE).

Today, we are releasing versions 18.5.2, 18.4.4, 18.3.6 for GitLab
Community Edition (CE) and Enterprise Edition (EE).

These versions contain important bug and security fixes, and we
strongly recommend that all self-managed GitLab installations be
upgraded to one of these versions immediately. GitLab.com is already
running the patched version. GitLab Dedicated customers do not need
to take action.

GitLab releases fixes for vulnerabilities in patch releases. There
are two types of patch releases: scheduled releases and ad-hoc
critical patches for high-severity vulnerabilities. Scheduled releases
are released twice a month on the second and fourth Wednesdays. For
more information, please visit our releases handbook and security FAQ.
You can see all of GitLab release blog posts here.

For security fixes, the issues detailing each vulnerability are made
public on our issue tracker 30 days after the release in which they
were patched.

We are committed to ensuring that all aspects of GitLab that are
exposed to customers or that host customer data are held to the
highest security standards. To maintain good security hygiene, it
is highly recommended that all customers upgrade to the latest
patch release for their supported version. You can read more best
practices in securing your GitLab instance in our blog post.
Recommended Action

We strongly recommend that all installations running a version
affected by the issues described below are upgraded to the latest
version as soon as possible.

When no specific deployment type (omnibus, source code, helm
chart, etc.) of a product is mentioned, it means all types
are affected.


Security fixes

Table of security fixes

Title 	Severity

Cross-site scripting issue in k8s proxy impacts GitLab CE/EE
High

Incorrect Authorization issue in workflows impacts GitLab EE
Medium

Information Disclosure issue in GraphQL subscriptions impacts
GitLab CE/EE 	Medium

Information Disclosure issue in access control impacts GitLab
CE/EE 	Medium

Prompt Injection issue in GitLab Duo review impacts GitLab EE
Low

Information Disclosure issue in packages API endpoint impacts
GitLab CE/EE 	Low

Client Side Path Traversal issue in branch names impacts GitLab
EE 	Low

Improper Access Control issue in GitLab Pages impacts GitLab
CE/EE 	Low

Denial of service issue in markdown impacts GitLab CE/EE
Low

CVE-2025-11224 - Cross-site scripting issue in k8s proxy
impacts GitLab CE/EE


GitLab has remediated an issue that, under certain conditions,
could have allowed an authenticated user to execute stored
cross-site scripting through improper input validation in the
Kubernetes proxy functionality.

Impacted Versions: GitLab CE/EE: all versions from 15.10 before
18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2
CVSS 7.7 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N)

Thanks joaxcar for reporting this vulnerability through our
HackerOne bug bounty program


CVE-2025-11865 - Incorrect Authorization issue in workflows
impacts GitLab EE

GitLab has remediated an issue that, under certain circumstances,
could have allowed a user to remove Duo flows of another user.

Impacted Versions: GitLab EE: all versions from 18.1 before
18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)

This vulnerability has been discovered internally by GitLab team
member Dylan Griffith.


CVE-2025-2615 - Information Disclosure issue in GraphQL
subscriptions impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed a blocked
user to access sensitive information by establishing GraphQL
subscriptions through WebSocket connections.

Impacted Versions: GitLab CE/EE: all versions from 16.7 before
18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Thanks rogerace for reporting this vulnerability through our
HackerOne bug bounty program.


CVE-2025-7000 - Information Disclosure issue in access control
impacts GitLab CE/EE

GitLab has remdiated an issue in GitLab CE/EE that under
specific conditions, could have allowed unauthorized users to
view confidential branch names by accessing project issues
with related merge requests.

Impacted Versions: GitLab CE/EE: all versions from 17.6 before
18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Thanks weasterhacker for reporting this vulnerability through
our HackerOne bug bounty program


CVE-2025-6945 - Prompt Injection issue in GitLab Duo review
impacts GitLab EE

GitLab has remediated an issue that could have allowed an
authenticated user to leak sensitive information from
confidential issues by injecting hidden prompts in merge
request comments.

Impacted Versions: GitLab EE: all versions from 17.9 before
18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2
CVSS 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)

Thanks rogerace for reporting this vulnerability through
our HackerOne bug bounty program


CVE-2025-11990 - Client Side Path Traversal issue in branch
names impacts GitLab EE

GitLab has remediated an issue that could have allowed an
authenticated user to gain CSRF tokens by exploiting
improper input validation in repository references combined
with redirect handling weaknesses.

Impacted Versions: GitLab EE: all versions from 18.4
before 18.4.4, and 18.5 before 18.5.2
CVSS 3.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)

Thanks swiftee for reporting this vulnerability through
our HackerOne bug bounty program


CVE-2025-6171 - Information Disclosure issue in packages
API endpoint impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an
authenticated user with reporter access to view branch
names and pipeline details by accessing the packages API
endpoint even when repository access was disabled.

Impacted Versions: GitLab CE/EE: all versions from 13.2
before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2
CVSS 3.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

Thanks iamgk808 for reporting this vulnerability through
our HackerOne bug bounty program


CVE-2025-7736 - Improper Access Control issue in GitLab
Pages impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an
authenticated user to bypass access control restrictions
and view GitLab Pages content intended only for project
members by authenticating through OAuth providers.

Impacted Versions: GitLab CE/EE: all versions from 17.9
before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2
CVSS 3.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

Thanks mateuszek for reporting this vulnerability through
our HackerOne bug bounty program


CVE-2025-12983 - Denial of service issue in markdown
impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an
authenticated user to cause a denial of service condition
by submitting specially crafted markdown content with
nested formatting patterns.

Impacted Versions: GitLab CE/EE: all versions from 16.9
before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2
CVSS 3.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L)

Thanks phli for reporting this vulnerability through our
HackerOne bug bounty program

### libxslt security updates

libxslt has been updated to version 1.1.43 which contains
fixes for security vulnerabilities including
CVE-2024-55549 and CVE-2025-24855


Bug fixes
18.5.2
_____________________________________________________________________
    [18.5] Backport of "Rails: Add explicit ClickHouse check skip"
    Backport of 'rf-disable-sec-attribute-feature-flags'
    Backport E2E test: fix create project web ui 18-5
    18.5 Backport of 'Fix query for finding existing Jira issues for
vulnerabilities'
    Backport of 'Filter out group-level rules from details page'
    [18.5] Reduce cached SQL queries in /api/v4/internal/pages
endpoint
    [18.5] Update dependency openssl to v3.3.2
    Update dependency simplecov-cobertura to v3
    Backport of Fix password validation exception for FIPS
    Backport of 'Fix admin_project_member policy for SAML projects
related to user namespaces'
    Backport of 'Web Agentic Chat: fix calling workflowGoal on
undefined'
    [Backport 18.5] Turn off Duo core widget for self-managed
    Backport of 'Fix status mapping evaluation for non-persisted
current status records'
    [18.5] Upgrade Rack to 2.2.20
    Backport of Elastic rake tasks projects_not_indexed and
index_projects_status could be confusing
    Backport of 'Add deleted Geo migration back'
    Backport of Allow Legacy FIPS instances to Upgrade Oauth
secerets
    Backport of Zoekt Exclude forks and Include archived filters in
the cache key
    [Backport 18.5] Clear tracking queues when recreating index from
scratch
    [18.5 Backport] Delete failed reindexing indexes created over
30 days ago
    Backport of 'Fix redirect loop in Gitea rate limit`
    [18.5 Backport] Set http_continue_timeout to nil for s3 client
    [18.5] Fix background migration when Ghost user is missing
    Backport Support Jira Cloud and Server issue fetching
    [18.5] Fix test failure by adjusting dates to match partition
range
    Backport 'Revert merge trains changes to getState GraphQL query'
    Backport 'Update merge request widget polling timeout intervals'
    [18.5] Downgrade Zeitwerk to 2.6.18
    [Backport/18.5] of Fix instance bbm for mishandled nil
verification token
    Fix NGINX not routing traffic to the right server
    [18.5] Uninstall rexml 3.4.0 and ensure 3.4.4 is used
    Update redis to v7.2.11
    Bump eventmachine-tail gem to version 0.6.6
    [18.5] Upgrade Rack to 2.2.20


18.4.4
_____________________________________________________________________
    [18.4] Backport of "Rails: Add explicit ClickHouse check skip"
    [18.4] Reduce cached SQL queries in /api/v4/internal/pages endpoint
    [18.4] Update dependency openssl to v3.3.2
    Backports branch 'tachyons-remove-ff-sha512-oauth' into 'master'
    [18.4] Update rexml to v3.4.4
    Backport of Fix password validation exception for FIPS
    Backport of 'Fix admin_project_member policy for SAML projects
related to user namespaces'
    [Backport 18.4] Turn off Duo core widget for self-managed
    [18.4] Upgrade Rack to 2.2.20
    Backport of Elastic rake tasks projects_not_indexed and
index_projects_status could be confusing
    Backport of 'Add deleted Geo migration back'
    Backport of 'Fix: prevent duplicate '?' in Download directory URL
(use '&' for extra params)'
    Backport of Allow Legacy FIPS instances to Upgrade Oauth secrets
    Backport of 'Fix redirect loop in Gitea rate limit'
    [18.4 Backport] Set http_continue_timeout to nil for s3 client
    Backport of Update Jira integration to use token-based pagination
and Support Jira Cloud and Server issue fetching
    Backport 'Revert merge trains changes to getState GraphQL query'
    Backport of Zoekt Exclude forks and Include archived filters in
the cache key
    Backport 'Update merge request widget polling timeout intervals'
    [Backport/18.4] of Fix instance bbm for mishandled nil
verification token
    [18.4] Uninstall rexml 3.4.0 and ensure 3.4.4 is used
    Update redis to v7.2.11
    [18.4] Upgrade Rack to 2.2.20


18.3.6

    [18.3] Reduce cached SQL queries in /api/v4/internal/pages
endpoint
    [18.3] Update dependency openssl to v3.3.2
    [18.3] Update rexml to v3.4.4
    [18.3] Upgrade Rack to 2.2.20
    [18.3 Backport] Set http_continue_timeout to nil for s3
client
    Backport of 'Fix redirect loop in Gitea rate limit'
    Backport of Update Jira integration to use token-based
pagination and Support Jira Cloud and Server issue fetching
    [18.3] Uninstall rexml 3.4.0 and ensure 3.4.4 is used
    Update redis to v7.2.11
    [18.3] Upgrade Rack to 2.2.20


Important notes on upgrading

This patch includes database migrations that may impact
your upgrade process.


Impact on your installation:

    Single-node instances: This patch will cause downtime during
the upgrade as migrations must complete before GitLab can start.
    Multi-node instances: With proper zero-downtime upgrade
procedures, this patch can be applied without downtime.

Post-deploy migrations

The following versions include post-deploy migrations that can
run after the upgrade:

    18.5.2
    18.4.4

To learn more about the impact of upgrades on your installation,
see:

    Zero-downtime upgrades for multi-node deployments
    Standard upgrades for single-node installations


Updating

To update GitLab, see the Update page. To update Gitlab Runner,
see the Updating the Runner page.


Receive Patch Notifications

To receive patch blog notifications delivered to your inbox,
visit our contact us page. To receive release notifications
via RSS, subscribe to our patch release RSS feed or our RSS
feed for all releases.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================