High
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions starting from 14.7 before 14.7.4, all versions starting from 14.8 before 14.8.2. An unauthorized user was able to steal runner registration tokens through an information disclosure vulnerability using quick actions commands.
An issue has been discovered in GitLab CE/EE affecting all versions before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Under certain conditions, GitLab REST API may allow unprivileged users to add other users to groups even if that is not possible to do through the Web UI.
Inaccurate display of Snippet files containing special characters in all versions of GitLab CE/EE allows an unauthorized actor to create Snippets with misleading content, which could trick unsuspecting users into executing arbitrary commands.
Improper input validation in all versions of GitLab CE/EE using sendmail to send emails allowed an unauthorized actor to steal environment variables via specially crafted email addresses.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.0 and all versions starting from 14.4 before 14.8. Private GitLab instances with restricted sign-ups may be vulnerable to user enumeration by unauthenticated users through the GraphQL API.
An issue has been discovered in GitLab affecting all versions starting from 14.6 before 14.6.5, all versions starting from 14.7 before 14.7.4, and all versions starting from 14.8 before 14.8.2. GitLab was leaking user passwords when adding mirrors with SSH credentials under specific conditions.
An issue has been discovered in GitLab CE/EE affecting all versions starting with 8.15. It was possible to trigger a DOS by using the math feature with a specific formula in issue comments.
GitLab
All versions of GitLab CE/EE
GitLab Omnibus prior to 14.8
Refer to GitHUB Advisory for patch, upgrade, or suggested workaround information.
https://about.gitlab.com/releases/2022/02/25/critical-security-release-gitlab-14-8-2-released/