Images uploaded to GitLab were not stripped of EXIF geolocation data. As a result, anyone with access to the uploaded image could obtain the its geolocation, device, and software version data, if present.
An authorization issue was discovered which allowed non-members of a private project/group to add and read labels.
Within the GeoAuthController for the secondary Geo node, a redirect is triggered after successful authentication which was subject to an open redirect vulnerability.
The construction of the HMAC key was insecurely derived.