Impact
GitLab contains a flaw that can allow an authenticated user to create a repository in which the content displayed on the web interface differs from the content that is actually retrieved when the repository is downloaded. This discrepancy arises because Git reference names are not correctly resolved when handling repository uploads, leading to a mismatch between what a user sees and what data is stored. The flaw does not provide direct confidentiality or integrity violations for the system itself, but it can mislead users or enable a malicious actor to present misleading or altered content to others who rely on the web view.
Affected Systems
GitLab Community Edition and Enterprise Edition are affected for all releases from version 16.5 up to, but not including, 18.11.7, from 19.0 up to, but not including, 19.0.4, and from 19.1 up to, but not including, 19.1.2. The vulnerability applies to both the source and the packaged GitLab offerings, regardless of deployment mode.
Risk and Exploitability
The CVSS score of 3.5 classifies the vulnerability as low severity. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog, indicating that there is no known active exploitation. The attack vector requires an authenticated user with permission to create new repositories; no network access or remote code execution is possible. Overall, the risk is modest, bounded to the potential for content confusion or deceptive representation within a user’s own environment.
OpenCVE Enrichment