diff --git a/debian/patches/cve-2017-0920.patch b/debian/patches/cve-2017-0920.patch
new file mode 100644
index 0000000000..62fe8d08c0
--- /dev/null
+++ b/debian/patches/cve-2017-0920.patch
@@ -0,0 +1,71 @@
+From 523050b6383256072364937bd61054aebca2978b Mon Sep 17 00:00:00 2001
+From: Sean McGivern <sean@gitlab.com>
+Date: Fri, 5 Jan 2018 17:55:37 +0000
+Subject: [PATCH] Merge branch '41567-projectfix' into 'security-10-3'
+
+check project access on MR create
+
+See merge request gitlab/gitlabhq!2273
+
+(cherry picked from commit 1fe2325d6ef2bced4c5e97b57691c894f38b2834)
+
+43e85f49 check project access on MR create
+---
+ app/services/merge_requests/create_service.rb                  | 28 ++++++++++++++++++++++------
+ changelogs/unreleased/projectfix.yml                           |  6 ++++++
+ spec/features/cycle_analytics_spec.rb                          |  1 +
+ spec/models/project_services/microsoft_teams_service_spec.rb   |  4 ++++
+ spec/requests/api/merge_requests_spec.rb                       | 26 +++++++++++++++++++-------
+ spec/requests/api/v3/merge_requests_spec.rb                    | 26 +++++++++++++++++++-------
+ spec/services/merge_requests/create_service_spec.rb            | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ spec/support/slack_mattermost_notifications_shared_examples.rb |  1 +
+ 8 files changed, 133 insertions(+), 20 deletions(-)
+ create mode 100644 changelogs/unreleased/projectfix.yml
+
+--- a/app/services/merge_requests/create_service.rb
++++ b/app/services/merge_requests/create_service.rb
+@@ -1,16 +1,12 @@
+ module MergeRequests
+   class CreateService < MergeRequests::BaseService
+     def execute
+-      # @project is used to determine whether the user can set the merge request's
+-      # assignee, milestone and labels. Whether they can depends on their
+-      # permissions on the target project.
+-      source_project = @project
+-      @project = Project.find(params[:target_project_id]) if params[:target_project_id]
++      set_projects!
+ 
+       params[:target_project_id] ||= source_project.id
+ 
+       merge_request = MergeRequest.new
+-      merge_request.source_project = source_project
++      merge_request.source_project = @source_project
+       merge_request.merge_params['force_remove_source_branch'] = params.delete(:force_remove_source_branch)
+ 
+       create(merge_request)
+@@ -22,5 +18,25 @@
+       todo_service.new_merge_request(issuable, current_user)
+       issuable.cache_merge_request_closes_issues!(current_user)
+     end
++
++    def set_projects!
++      # @project is used to determine whether the user can set the merge request's
++      # assignee, milestone and labels. Whether they can depends on their
++      # permissions on the target project.
++      @source_project = @project
++      @project = Project.find(params[:target_project_id]) if params[:target_project_id]
++
++      # make sure that source/target project ids are not in
++      # params so it can't be overridden later when updating attributes
++      # from params when applying quick actions
++      params.delete(:source_project_id)
++      params.delete(:target_project_id)
++
++      unless can?(current_user, :read_project, @source_project) &&
++          can?(current_user, :read_project, @project)
++
++        raise Gitlab::Access::AccessDeniedError
++      end
++    end
+   end
+ end
diff --git a/debian/patches/series b/debian/patches/series
index 05468c0e92..fad968c30b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -17,3 +17,4 @@ cve-2017-0918.patch
 cve-2017-0925.patch
 cve-2017-0916.patch
 cve-2018-8971.patch
+cve-2017-0920.patch