hao/websafe-kb
1
0
派生 0
代码 工单 合并请求 1 工作流 软件包 项目 发布 百科 活动
文件
982a352a546f34bbfdcd5bbef8d4efc131ee83da
websafe-kb/08-threat-intel/registry/advisories/gitlab-ce--c9ed3b92bd.json

150 行
33 KiB
JSON
原始文件 Blame 文件历史

{
"canonical_id": "gitlab-ce--c9ed3b92bd",
"system_id": "gitlab-ce",
"display_name": "GitLab CE",
"category": "platforms",
"advisory_mode": "core",
"title": "GitLab Patch Release: 18.10.1, 18.9.3, 18.8.7",
"summary": "<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->\n\n<p>Today, we are releasing versions 18.10.1, 18.9.3, 18.8.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>\n\n<p>These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to\none of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.</p>\n\n<p>GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases:\nscheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.\nFor more information, please visit our <a href=\"https://handbook.gitlab.com/handbook/engineering/releases/\">releases handbook</a> and <a href=\"https://about.gitlab.com/security/faq/\">security FAQ</a>.\nYou can see all of GitLab release blog posts <a href=\"/releases/categories/releases/\">here</a>.</p>\n\n<p>For security fixes, the issues detailing each vulnerability are made public on our\n<a href=\"https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&amp;state=closed&amp;label_name%5B%5D=bug%3A%3Avulnerability&amp;confidential=no&amp;first_page_size=100\">issue tracker</a>\n30 days after the release in which they were patched.</p>\n\n<p>We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to\nthe highest security standards. To maintain good security hygiene, it is highly recommended that all customers\nupgrade to the latest patch release for their supported version. You can read more\n<a href=\"/blog/2020/05/20/gitlab-instance-security-best-practices/\">best practices in securing your GitLab instance</a> in our blog post.</p>\n\n<h3 id=\"recommended-action\">Recommended Action</h3>\n\n<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>\n\n<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.</p>\n\n<h2 id=\"security-fixes\">Security fixes</h2>\n\n<h3 id=\"table-of-security-fixes\">Table of security fixes</h3>\n\n<table>\n <thead>\n <tr>\n <th>Title</th>\n <th>Severity</th>\n </tr>\n </thead>\n <tbody>\n <tr>\n <td><a href=\"#cve-2026-2370---improper-handling-of-parameters-issue-in-jira-connect-installations-impacts-gitlab-ceee\">Improper Handling of Parameters issue in Jira Connect installations impacts GitLab CE/EE</a></td>\n <td>High</td>\n </tr>\n <tr>\n <td><a href=\"#cve-2026-3857---cross-site-request-forgery-issue-in-glql-api-impacts-gitlab-ceee\">Cross-Site Request Forgery issue in GLQL API impacts GitLab CE/EE</a></td>\n <td>High</td>\n </tr>\n <tr>\n <td><a href=\"#cve-2026-2995---html-injection-in-vulnerability-report-impacts-gitlab-ee\">HTML Injection in vulnerability report impacts GitLab EE</a></td>\n <td>High</td>\n </tr>\n <tr>\n <td><a href=\"#cve-2026-3988---denial-of-service-issue-in-graphql-api-impacts-gitlab-ceee\">Denial of Service issue in GraphQL API impacts GitLab CE/EE</a></td>\n <td>High</td>\n </tr>\n <tr>\n <td><a href=\"#cve-2026-2745---improper-access-control-issue-in-webauthn-2fa-impacts-gitlab-ceee\">Improper Access Control issue in WebAuthn 2FA impacts GitLab CE/EE</a></td>\n <td>Medium</td>\n </tr>\n <tr>\n <td><a href=\"#cve-2026-1724---improper-access-control-issue-in-graphql-query-impacts-gitlab-ee\">Improper Access Control issue in GraphQL query impacts GitLab EE</a></td>\n <td>Medium</td>\n </tr>\n <tr>\n <td><a href=\"#cve-2025-13436---denial-of-service-issue-in-ci-configuration-processing-impacts-gitlab-ceee\">Denial of Service issue in CI configuration processing impacts GitLab CE/EE</a></td>\n <td>Medium</td>\n </tr>\n <tr>\n <td><a href=\"#cve-2025-13078---denial-of-service-issue-in-webhook-configuration-impacts-gitlab-ceee\">Denial of Service issue in webhook configuration impacts GitLab CE/EE</a></td>\n <td>Medium</td>\n </tr>\n <tr>\n <td><a href=\"#cve-2026-2973---cross-site-scripting-issue-in-mermaid-diagram-renderer-impacts-gitlab-ceee\">Cross-site Scripting issue in Mermaid diagram renderer impacts GitLab CE/EE</a></td>\n <td>Medium</td>\n </tr>\n <tr>\n <td><a href=\"#cve-2026-2726---improper-access-control-issue-in-merge-requests-impacts-gitlab-ceee\">Improper Access Control issue in Merge Requests impacts GitLab CE/EE</a></td>\n <td>Medium</td>\n </tr>\n <tr>\n <td><a href=\"#cve-2025-14595---access-control-issue-in-graphql-api-impacts-gitlab-ee\">Access Control issue in GraphQL API impacts GitLab EE</a></td>\n <td>Medium</td>\n </tr>\n <tr>\n <td><a href=\"#cve-2026-4363---incorrect-authorization-issue-in-authorization-caching-impacts-gitlab-ee\">Incorrect Authorization issue in authorization caching impacts GitLab EE</a></td>\n <td>Low</td>\n </tr>\n </tbody>\n</table>\n\n<h3 id=\"cve-2026-2370---improper-handling-of-parameters-issue-in-jira-connect-installations-impacts-gitlab-ceee\"><a href=\"https://www.cve.org/CVERecord?id=CVE-2026-2370\">CVE-2026-2370</a> - Improper Handling of Parameters issue in Jira Connect installations impacts GitLab CE/EE</h3>\n\n<p>GitLab has remediated an issue affecting Jira Connect installations that could have allowed an authenticated user with minimal workspace permissions to obtain installation credentials and impersonate the GitLab app due to improper authorization checks.</p>\n\n<p><strong>Impacted Versions:</strong> GitLab CE/EE: all versions from 14.3 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 <br />\n<strong>CVSS</strong> 8.1 (<a href=\"https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N</code></a>)</p>\n\n<p>Thanks <a href=\"https://hackerone.com/maksyche\">maksyche</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>\n\n<h3 id=\"cve-2026-3857---cross-site-request-forgery-issue-in-glql-api-impacts-gitlab-ceee\"><a href=\"https://www.cve.org/CVERecord?id=CVE-2026-3857\">CVE-2026-3857</a> - Cross-Site Request Forgery issue in GLQL API impacts GitLab CE/EE</h3>\n\n<p>GitLab has remediated an issue that could have allowed an unauthenticated user to execute arbitrary GraphQL mutations on behalf of authenticated users due to insufficient CSRF protection.</p>\n\n<p><strong>Impacted Versions:</strong> GitLab CE/EE: all versions from 17.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 <br />\n<strong>CVSS</strong> 8.1 (<a href=\"https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N\"><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N</code></a>)</p>\n\n<p>Thanks <a href=\"https://hackerone.com/ahacker1\">ahacker1</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>\n\n<h3 id=\"cve-2026-2995---html-injection-in-vulnerability-report-impacts-gitlab-ee\"><a href=\"https://www.cve.org/CVERecord?id=CVE-2026-2995\">CVE-2026-2995</a> - HTML Injection in vulnerability report impacts GitLab EE</h3>\n\n<p>GitLab has remediated an issue that could have allowed an authenticated user to add email addresses to targeted user accounts due to improper sanitization of HTML content.</p>\n\n<p><strong>Impacted Versions:</strong> GitLab EE: all versions from 15.4 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 <br />\n<strong>CVSS</strong> 7.7 (<a href=\"https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N\"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N</code></a>)</p>\n\n<p>Thanks <a href=\"https://hackerone.com/a_m_a_m\">a_m_a_m</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>\n\n<h3 id=\"cve-2026-3988---denial-of-service-issue-in-graphql-api-impacts-gitlab-ceee\"><a href=\"https://www.cve.org/CVERecord?id=CVE-2026-3988\">CVE-2026-3988</a> - Denial of Service issue in GraphQL API impacts GitLab CE/EE</h3>\n\n<p>GitLab has remediated an issue that could have allowed an unauthenticated user to cause a denial of service by making the GitLab instance unresponsive due to improper input validation in GraphQL request processing.</p>\n\n<p><strong>Impacted Versions:</strong> GitLab CE/EE: all versions from 18.5 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 <br />\n<strong>CVSS</strong> 7.5 (<a href=\"https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code></a>)</p>\n\n<p>Thanks <a href=\"https://hackerone.com/svalkanov\">svalkanov</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>\n\n<h3 id=\"cve-2026-2745---improper-access-control-issue-in-webauthn-2fa-impacts-gitlab-ceee\"><a href=\"https://www.cve.org/CVERecord?id=CVE-2026-2745\">CVE-2026-2745</a> - Improper Access Control issue in WebAuthn 2FA impacts GitLab CE/EE</h3>\n\n<p>GitLab has remediated an issue that could have allowed an unauthenticated user to bypass WebAuthn two-factor authentication and gain unauthorized access to user accounts due to inconsistent input validation in the authentication process.</p>\n\n<p><strong>Impacted Versions:</strong> GitLab CE/EE: all versions from 7.11 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 <br />\n<strong>CVSS</strong> 6.8 (<a href=\"https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N\"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N</code></a>)</p>\n\n<p>Thanks <a href=\"https://hackerone.com/a0xnirudh\">a0xnirudh</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>\n\n<h3 id=\"cve-2026-1724---improper-access-control-issue-in-graphql-query-impacts-gitlab-ee\"><a href=\"https://www.cve.org/CVERecord?id=CVE-2026-1724\">CVE-2026-1724</a> - Improper Access Control issue in GraphQL query impacts GitLab EE</h3>\n\n<p>GitLab has remediated an issue that could have allowed an unauthenticated user to access API tokens of self-hosted AI models due to improper access control.</p>\n\n<p><strong>Impacted Versions:</strong> GitLab EE: all versions from 18.5 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 <br />\n<strong>CVSS</strong> 6.8 (<a href=\"https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N\"><code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N</code></a>)</p>\n\n<p>Thanks <a href=\"https://hackerone.com/maksyche\">maksyche</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>\n\n<h3 id=\"cve-2025-13436---denial-of-service-issue-in-ci-configuration-processing-impacts-gitlab-ceee\"><a href=\"https://www.cve.org/CVERecord?id=CVE-2025-13436\">CVE-2025-13436</a> - Denial of Service issue in CI configuration processing impacts GitLab CE/EE</h3>\n\n<p>GitLab has remediated an issue that could have allowed an authenticated user to cause a denial of service due to excessive resource consumption when handling certain CI-related inputs.</p>\n\n<p><strong>Impacted Versions:</strong> GitLab CE/EE: all versions from 13.7 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 <br />\n<strong>CVSS</strong> 6.5 (<a href=\"https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></a>)</p>\n\n<p>Thanks <a href=\"https://hackerone.com/a92847865\">a92847865</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>\n\n<h3 id=\"cve-2025-13078---denial-of-service-issue-in-webhook-configuration-impacts-gitlab-ceee\"><a href=\"https://www.cve.org/CVERecord?id=CVE-2025-13078\">CVE-2025-13078</a> - Denial of Service issue in webhook configuration impacts GitLab CE/EE</h3>\n\n<p>GitLab has remediated an issue that could have allowed an authenticated user to cause a denial of service due to excessive resource consumption when processing certain webhook configuration inputs.</p>\n\n<p><strong>Impacted Versions:</strong> GitLab CE/EE: all versions from 16.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 <br />\n<strong>CVSS</strong> 6.5 (<a href=\"https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></a>)</p>\n\n<p>Thanks <a href=\"https://hackerone.com/lucky_luke\">lucky_luke</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>\n\n<h3 id=\"cve-2026-2973---cross-site-scripting-issue-in-mermaid-diagram-renderer-impacts-gitlab-ceee\"><a href=\"https://www.cve.org/CVERecord?id=CVE-2026-2973\">CVE-2026-2973</a> - Cross-site Scripting issue in Mermaid diagram renderer impacts GitLab CE/EE</h3>\n\n<p>GitLab has remediated an issue that could have allowed an authenticated user to execute arbitrary JavaScript in a user's browser due to improper sanitization of entity-encoded content in Mermaid diagrams.</p>\n\n<p><strong>Impacted Versions:</strong> GitLab CE/EE: all versions from 17.7 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 <br />\n<strong>CVSS</strong> 5.4 (<a href=\"https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N</code></a>)</p>\n\n<p>Thanks <a href=\"https://hackerone.com/go7f0\">go7f0</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>\n\n<h3 id=\"cve-2026-2726---improper-access-control-issue-in-merge-requests-impacts-gitlab-ceee\"><a href=\"https://www.cve.org/CVERecord?id=CVE-2026-2726\">CVE-2026-2726</a> - Improper Access Control issue in Merge Requests impacts GitLab CE/EE</h3>\n\n<p>GitLab has remediated an issue that could have allowed an authenticated user to perform unauthorized actions on merge requests in other projects due to improper access control during cross-repository operations.</p>\n\n<p><strong>Impacted Versions:</strong> GitLab CE/EE: all versions from 11.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 <br />\n<strong>CVSS</strong> 4.3 (<a href=\"https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N\"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code></a>)</p>\n\n<p>Thanks <a href=\"https://hackerone.com/pkkr\">pkkr</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>\n\n<h3 id=\"cve-2025-14595---access-control-issue-in-graphql-api-impacts-gitlab-ee\"><a href=\"https://www.cve.org/CVERecord?id=CVE-2025-14595\">CVE-2025-14595</a> - Access Control issue in GraphQL API impacts GitLab EE</h3>\n\n<p>GitLab has remediated an issue that under certain conditions could have allowed an authenticated user with Planner role to view security category metadata and attributes in group security configuration due to improper access control.</p>\n\n<p><strong>Impacted Versions:</strong> GitLab EE: all versions from 18.6 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 <br />\n<strong>CVSS</strong> 4.3 (<a href=\"https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code></a>)</p>\n\n<p>Thanks <a href=\"https://hackerone.com/kamikaze1337\">kamikaze1337</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>\n\n<h3 id=\"cve-2026-4363---incorrect-authorization-issue-in-authorization-caching-impacts-gitlab-ee\"><a href=\"https://www.cve.org/CVERecord?id=CVE-2026-4363\">CVE-2026-4363</a> - Incorrect Authorization issue in authorization caching impacts GitLab EE</h3>\n\n<p>GitLab has remediated an issue that under certain conditions could have allowed an authenticated user to gain unauthorized access to resources due to improper caching of authorization decisions.</p>\n\n<p><strong>Impacted Versions:</strong> GitLab EE: all versions from 18.1 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 <br />\n<strong>CVSS</strong> 3.7 (<a href=\"https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N\"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N</code></a>)</p>\n\n<p>This vulnerability was discovered internally by GitLab team member Fred de Gier.</p>\n\n<h2 id=\"bug-fixes\">Bug fixes</h2>\n\n<h3 id=\"18101\">18.10.1</h3>\n\n<ul>\n <li><a href=\"https://gitlab.com/gitlab-org/gitaly/-/merge_requests/8577\">Backport gocloud version and checksum fix to 18-10 stable</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/227950\">[18.10] Zero downtime reindexing make setting async-durability optional</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/227835\">Backport \"CI: Update CNG mirror skip job regex\"</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/227763\">Backport of 'Revert Code review flow automatic reviews enabled by default for groups'</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/228063\">Backport Handle http-abort panic and pass http execution error</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/228199\">Backport 18.10: Do not check column default in state machine initialization</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/228241\">Backport of What's new - 18.10</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/228254\">[18.10 Backport] Fix statement timeouts on p_ci_job_artifacts during pipeline deletion</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/228389\">Backport of \"Execute BBM affected by single record table bug\"</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/228257\">Fix regression: \"Git operations for Deploy keys fail on a Geo Site\"</a></li>\n</ul>\n\n<h3 id=\"1893\">18.9.3</h3>\n\n<ul>\n <li><a href=\"https://gitlab.com/gitlab-org/gitaly/-/merge_requests/8576\">Backport gocloud version and checksum fix to 18-9 stable</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/226264\">[Backport 18.9] Fix gitlab:setup failure on fresh database</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/226447\">[18.9] Update dependency oj to v3.16.15</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/226351\">Backport of 'Use v-safe-html for commit.titleHtml in collapsible commit info'</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/226721\">18.9 Backport of 'Fix re-archiving projects and subgroups after group unarchive'</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/227023\">Backport of 'Fix edit in pipeline editor button not showing on ci file on file navigation'</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/227276\">[18.9] GLQL advanced finder, remove project_ids</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/227193\">Backport of 'Update rack gem to 2.2.22'</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/227490\">Backport <code>oj</code> and <code>oj-introspect</code> gem updates</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/227473\">[18.9] Exclude group-covered projects from search authorization to reduce redundant payload</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/227834\">Backport \"CI: Update CNG mirror skip job regex\"</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/227951\">[18.9] Zero downtime reindexing make setting async-durability optional</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/228201\">Backport 18.9: Do not check column default in state machine initialization</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/227826\">Backport of \"Execute BBM affected by single record table bug\"</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/228255\">[18.9 Backport] Fix statement timeouts on p_ci_job_artifacts during pipeline deletion</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/228269\">Fix regression: \"Git operations for Deploy keys fail on a Geo Site\"</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/9198\">Backport: Fix Valkey version detection</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/9210\">18.9 Backport CI: Fix the package install for zypper based distros</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/9205\">[18.9] Backport Mattermost Security Updates February 23, 2026</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/9222\">Backport 18-9-stable - check-packages uses Pulp</a></li>\n</ul>\n\n<h3 id=\"1887\">18.8.7</h3>\n\n<ul>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/226555\">Fix command execution race condition in Agentic Chat</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/225307\">Backport of 'fix: allow explain for all add ons'</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/226448\">[18.8] Update dependency oj to v3.16.15</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/226720\">18.8 Backport of 'Fix re-archiving projects and subgroups after group unarchive'</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/225856\">Add DAP self-hosted model DAP check in user_authorizable</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/227036\">Backport of 'Fix edit in pipeline editor button not showing on ci file on file navigation'</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/227277\">[18.8] GLQL advanced finder, remove project_ids</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/227488\">Backport <code>oj</code> and <code>oj-introspect</code> gem updates</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/227202\">Backport of 'Update rack gem to 2.2.22'</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/227832\">Backport \"CI: Update CNG mirror skip job regex\"</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/227474\">[18.8] Exclude group-covered projects from search authorization to reduce redundant payload</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/227952\">[18.8] Zero downtime reindexing make setting async-durability optional</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/228000\">Backport of \"Execute BBM affected by single record table bug\"</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/228256\">[18.8 Backport] Fix statement timeouts on p_ci_job_artifacts during pipeline deletion</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/gitlab/-/merge_requests/228271\">Fix regression: \"Git operations for Deploy keys fail on a Geo Site\"</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/9211\">18.8 Backport CI: Fix the package install for zypper based distros</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/9206\">[18.8] Backport Mattermost Security Updates February 23, 2026</a></li>\n <li><a href=\"https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/9223\">Backport 18-8-stable - check-packages uses Pulp</a></li>\n</ul>\n\n<h2 id=\"important-notes-on-upgrading\">Important notes on upgrading</h2>\n\n<p>This patch includes database migrations that may impact your upgrade process.</p>\n\n<h3 id=\"impact-on-your-installation\">Impact on your installation:</h3>\n<ul>\n <li><strong>Single-node instances</strong>: This patch will cause downtime during the upgrade as migrations must complete before GitLab can start.</li>\n <li><strong>Multi-node instances</strong>: With proper <a href=\"https://docs.gitlab.com/ee/update/zero_downtime.html\">zero-downtime upgrade procedures</a>, this patch can be applied without downtime.</li>\n</ul>\n\n<h3 id=\"post-deploy-migrations\">Post-deploy migrations</h3>\n\n<p>The following versions include post-deploy migrations that can run after the upgrade:</p>\n\n<ul>\n <li>18.10.1</li>\n <li>18.9.3</li>\n <li>18.8.7</li>\n</ul>\n\n<p>To learn more about the impact of upgrades on your installation, see:</p>\n<ul>\n <li><a href=\"https://docs.gitlab.com/ee/update/zero_downtime.html\">Zero-downtime upgrades</a> for multi-node deployments</li>\n <li><a href=\"https://docs.gitlab.com/update/package/#downtime\">Standard upgrades</a> for single-node installations</li>\n</ul>\n\n<h2 id=\"updating\">Updating</h2>\n\n<p>To update GitLab, see the <a href=\"/update\">Update page</a>.\nTo update GitLab Runner, see the <a href=\"https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner\">Updating the Runner page</a>.</p>\n\n<h2 id=\"receive-patch-notifications\">Receive Patch Notifications</h2>\n\n<p>To receive patch blog notifications delivered to your inbox, visit our <a href=\"https://about.gitlab.com/company/contact/\">contact us</a> page.\nTo receive release notifications via RSS, subscribe to our <a href=\"https://about.gitlab.com/security-releases.xml\">patch release RSS feed</a> or our <a href=\"https://about.gitlab.com/all-releases.xml\">RSS feed for all releases</a>.</p>\n<img src='https://about.gitlab.com/images/blogimages/security-cover-fy26.png' class='webfeedsFeaturedVisual' style='display: none;' />",
"published_at": "2026-03-25T00:00:00+00:00",
"updated_at": "2026-03-25T00:00:00+00:00",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://about.gitlab.com/security-releases.xml",
"secondary_source_urls": [],
"aliases": [],
"cve_ids": [],
"ghsa_ids": [],
"osv_ids": [],
"affected_versions": [],
"fixed_versions": [],
"package_name": null,
"render_markdown": false,
"case_path": null,
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"deserialization-safety",
"xss-output-encoding",
"dependency-upgrade-policy"
],
"status": "triage",
"triage_reasons": [
"missing affected/fixed version details"
],
"entity_refs": [
{
"entity_id": "gitlab-ce",
"entity_type": "system",
"relation": "root-system",
"root_system_id": "gitlab-ce",
"official": true
}
],
"affected_components": [
{
"name": "GitLab CE",
"entity_id": "gitlab-ce",
"scope": "core",
"package_name": null,
"official": true
}
],
"affected_version_ranges": [],
"fixed_version_ranges": [],
"introduced_version": null,
"patched_version": null,
"version_evidence_sources": [
"https://about.gitlab.com/security-releases.xml"
],
"affected_version_refs": [],
"fixed_version_refs": [],
"patched_version_refs": [],
"version_sync_confidence": "low",
"advisory_scope": "core",
"version_confidence": "low",
"version_gap_reason": "official bulletin or aggregated source did not expose explicit affected/fixed versions",
"version_resolution_needed": true,
"workflow": {
"workflow_id": "gitlab-ce--c9ed3b92bd--workflow",
"vuln_family": "xss",
"entry_surface": "web-ui-render-path",
"preconditions": [
"\u4ec5\u5728 lab-local\u3001lab-public \u6216\u660e\u786e\u6388\u6743\u76ee\u6807\u4e2d\u6267\u884c\u3002",
"\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: \u9700\u8981\u4ece\u516c\u544a\u3001\u9501\u6587\u4ef6\u3001\u7248\u672c\u9875\u6216\u5173\u4e8e\u9875\u9762\u4eba\u5de5\u786e\u8ba4\u7248\u672c\u547d\u4e2d",
"\u82e5\u5bf9\u8c61\u5c5e\u4e8e `core`\uff0c\u5148\u786e\u8ba4\u6269\u5c55/\u4ed3\u5e93/\u5305\u5df2\u542f\u7528\u5e76\u5904\u4e8e\u53d7\u5f71\u54cd\u7248\u672c\u3002"
],
"required_role": "editor-or-admin",
"affected_version_assertion": [
"\u9700\u8981\u4ece\u516c\u544a\u3001\u9501\u6587\u4ef6\u3001\u7248\u672c\u9875\u6216\u5173\u4e8e\u9875\u9762\u4eba\u5de5\u786e\u8ba4\u7248\u672c\u547d\u4e2d"
],
"trigger_vector": "\u5bf9 `xss` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
"request_or_ui_path": [
"/admin/editor",
"/preview",
"/rendered-content"
],
"input_shape": "\u53d7\u63a7 HTML/Markdown/\u5bcc\u6587\u672c\u8f93\u5165\uff0c\u89c2\u5bdf\u6e32\u67d3\u4e0a\u4e0b\u6587\u662f\u5426\u5931\u53bb\u7f16\u7801\u6216\u51c0\u5316\u3002",
"expected_unsafe_behavior": "\u8f93\u5165\u5728\u76ee\u6807\u4e0a\u4e0b\u6587\u6267\u884c\u6216\u88ab\u6d4f\u89c8\u5668\u89e3\u91ca\u4e3a\u4e3b\u52a8\u5185\u5bb9\u3002",
"server_evidence_points": [
"\u5e94\u7528\u65e5\u5fd7\u4e2d\u7684\u547d\u4e2d\u8def\u5f84\u3001\u9274\u6743\u51b3\u7b56\u548c\u5f02\u5e38\u6808",
"\u53cd\u5411\u4ee3\u7406\u6216\u8fb9\u754c\u5c42\u65e5\u5fd7\u4e2d\u7684\u8bf7\u6c42\u5934\u3001\u6765\u6e90 IP \u4e0e\u8def\u7531\u51b3\u7b56"
],
"browser_evidence_points": [
"\u57fa\u7ebf\u622a\u56fe\u4e0e\u653b\u51fb\u540e\u622a\u56fe\u7684 DOM/\u89c6\u89c9\u5dee\u5f02",
"console\u3001network \u4e0e response metadata \u4e2d\u7684\u5f02\u5e38\u4fe1\u53f7"
],
"db_or_fs_evidence_points": [
"\u6570\u636e\u5e93\u4e2d\u65b0\u589e/\u8d8a\u6743\u8bfb\u53d6\u7684\u6d4b\u8bd5\u6570\u636e",
"\u6587\u4ef6\u7cfb\u7edf\u4e2d\u65b0\u589e\u4e0a\u4f20\u6837\u672c\u3001\u7f13\u5b58\u6761\u76ee\u6216\u8d8a\u6743\u8bfb\u53d6\u75d5\u8ff9"
],
"detection_signals": [
"WAF / reverse proxy \u5f02\u5e38\u65e5\u5fd7\u3001\u8bbf\u95ee\u65e5\u5fd7\u548c\u544a\u8b66",
"\u5e94\u7528\u5ba1\u8ba1\u65e5\u5fd7\u4e2d\u7684\u6743\u9650\u9519\u8bef\u3001\u91cd\u5b9a\u5411\u5f02\u5e38\u3001\u6a21\u677f\u6e32\u67d3\u6216\u4e0a\u4f20\u843d\u76d8\u4e8b\u4ef6"
],
"mitigation_summary": "\u4f18\u5148\u5347\u7ea7\u5230\u4fee\u590d\u7248\u672c\uff0c\u5e76\u540c\u65f6\u6536\u7d27\u8f93\u5165\u6821\u9a8c\u3001\u670d\u52a1\u7aef\u9274\u6743\u3001\u4ee3\u7406\u4fe1\u4efb\u8fb9\u754c\u3001\u6269\u5c55\u5b89\u88c5\u4fe1\u4efb\u548c\u5ba1\u8ba1\u65e5\u5fd7\u3002",
"patch_validation_steps": [
"\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `\u53d7\u5f71\u54cd\u7248\u672c\u533a\u95f4` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `\u4fee\u590d\u7248\u672c`\u3002",
"\u4fdd\u7559\u540c\u4e00\u7ec4\u53d7\u63a7\u8f93\u5165\uff0c\u5728\u4fee\u590d\u524d\u540e\u5206\u522b\u6267\u884c\u5e76\u6bd4\u5bf9\u54cd\u5e94\u3001\u65e5\u5fd7\u4e0e\u6d4f\u89c8\u5668\u8bc1\u636e\u3002",
"\u786e\u8ba4\u4fee\u590d\u540e\u4ec5\u4fdd\u7559\u9884\u671f\u4e1a\u52a1\u884c\u4e3a\uff0c\u4e0d\u518d\u89e6\u53d1\u8d8a\u6743\u3001\u56de\u663e\u3001\u5f02\u5e38\u6e32\u67d3\u6216\u9519\u8bef\u8bf7\u6c42\u3002",
"\u8865\u5145 `xss` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002"
],
"lab_safety_notes": [
"\u53ea\u4f7f\u7528\u56de\u73af\u5730\u5740\u3001\u54e8\u5175\u76ee\u6807\u3001\u65e0\u5bb3\u6837\u672c\u6216\u53ef\u56de\u6eda\u6d4b\u8bd5\u6570\u636e\u3002",
"\u7981\u6b62\u9020\u6210\u6301\u4e45\u7834\u574f\u3001\u8d8a\u6743\u4e0b\u8f7d\u771f\u5b9e\u6570\u636e\u6216\u4e0d\u53ef\u56de\u6eda side effect\u3002",
"\u5982\u9700\u6d4f\u89c8\u5668\u8bc1\u636e\uff0c\u4fdd\u7559 baseline / proof \u4e24\u4efd\u5feb\u7167\u4ee5\u53ca console / network \u8bb0\u5f55\u3002"
],
"review_state": "needs-version-gap-review"
},
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": null,
"evidence_bundle": null,
"historical_status": null,
"latest_status": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "xss-generic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [
"GitLab Security Releases Atom"
],
"source_kinds": [
"atom-feed"
],
"candidate_count": 1,
"entity_ref_count": 1,
"advisory_scope": "core",
"version_confidence": "low",
"workflow_id": "gitlab-ce--c9ed3b92bd--workflow"
}
}
在新工单中引用 查看 Git Blame 复制永久链接