ArchLinux: 202102-11: gitlab: information disclosure
Summary
Improper authorization in GitLab 12.8+ allows a guest user in a private project to view tag data that should be inaccessible on the releases page. The issue is fixed in versions 13.8.2, 13.7.6 and 13.6.6.
Resolution
Upgrade to 13.8.2-1.
# pacman -Syu "gitlab>=13.8.2-1"
The problem has been fixed upstream in version 13.8.2.
References
https://gitlab.com/gitlab-org/gitlab-foss/-/commit/41b1c0469dba622a1c2c67c17f1f5e491573accf https://security.archlinux.org/CVE-2021-22172
Workaround
None.