Images uploaded to GitLab were not stripped of EXIF geolocation data. As a result, anyone with access to the uploaded image could obtain the its geolocation, device, and software version data, if present.
An authorization issue was discovered which allowed non-members of a private project/group to add and read labels.
Within the GeoAuthController for the secondary Geo node, a redirect is triggered after successful authentication which was subject to an open redirect vulnerability.
The construction of the HMAC key was insecurely derived.
During the OAuth authentication process, the application attempts to validate a parameter in an insecure way, potentially exposing data.
A potential denial of service (DoS) attack vector was discovered on the project languages endpoint.
An authorization issue was discovered for the GitLab Releases feature which could allow guest users access to private information like release details.