An issue has been discovered in GitLab CE/EE affecting all versions starting with 14.5. Arbitrary file read was possible by importing a group was due to incorrect handling of file.
{ "binaries": [ { "binary_name": "gitlab", "binary_version": "8.5.8+dfsg-5" } ] }