GitLab CE/EE Information Disclosure Vulnerability in CSV Export

A vulnerability allowing access to confidential issues assigned to other users via CSV export has been identified in GitLab Community Edition (CE) and Enterprise Edition (EE). This issue affects all versions from 18.2 prior to 18.8.9, 18.9 prior to 18.9.5, and 18.10 prior to 18.10.3. The vulnerability arises from insufficient authorization checks, which could have allowed an authenticated user to access sensitive information that should have been restricted.

Impact

Exploitation of this vulnerability could lead to unauthorized access to confidential issues, allowing users to view sensitive information assigned to others.

Remediation

Users are strongly advised to upgrade to GitLab versions 18.10.3, 18.9.5, or 18.8.9. Instructions for updating GitLab can be found in the GitLab Update documentation. Note that the SLES 12.5 packages for 18.10.3 and 18.9.5 are not present in this release.