cbcvebase.
CVE-2018-19572
published 2019-07-10

CVE-2018-19572: GitLab CE 8.17 and later and EE 8.3 and later have a symlink time-of-check-to-time-of-use race condition that would allow unauthorized access to files in the…

PriorityP430medium5.9CVSS 3.0
AVNACHPRNUINSUCHINAN
EPSS
0.92%
56.0th percentile
GitLab CE 8.17 and later and EE 8.3 and later have a symlink time-of-check-to-time-of-use race condition that would allow unauthorized access to files in the GitLab Pages chroot environment. This is fixed in versions 11.5.1, 11.4.8, and 11.3.11.

Affected

7 ranges
VendorProductVersion rangeFixed in
debiangitlab< gitlab 11.3.11+dfsg-1 (sid)gitlab 11.3.11+dfsg-1 (sid)
gitlabgitlab
gitlabgitlab>= 11.3.12 < 11.4.811.4.8
gitlabgitlab>= 11.4.9 < 11.5.111.5.1
gitlabgitlab>= 8.17.0 < 11.3.1111.3.11
gitlabgitlab>= 8.3.0 < 11.3.1111.3.11
gitlabgitlab_ce

CVSS provenance

nvdv3.05.9MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
vendor_debian5.9MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.