CVE-2018-19572 — Race Condition in Gitlab

CWE-362 — Race Condition4 documents4 sources

Severity

5.9MEDIUMNVD

EPSS

0.1%

top 73.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE

Timeline

PublishedJul 10

Latest updateMay 24

Description

GitLab CE 8.17 and later and EE 8.3 and later have a symlink time-of-check-to-time-of-use race condition that would allow unauthorized access to files in the GitLab Pages chroot environment. This is fixed in versions 11.5.1, 11.4.8, and 11.3.11.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages4 packages

▶NVDgitlab/gitlab8.3.0 — 11.3.11+3

▶debiandebian/gitlab< gitlab 11.3.11+dfsg-1 (sid)

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

GHSA

GHSA-j3cw-xpxv-w9fr: GitLab CE 8↗2022-05-24

▶

📋Vendor Advisories

GitLab

CVE-2018-19572: GitLab CE 8.17 and later and EE 8.3 and later have a symlink time-of-check-to-time-of-use race condition that would allow unauthorized access to files↗2019-07-10

▶

Debian

CVE-2018-19572: gitlab - GitLab CE 8.17 and later and EE 8.3 and later have a symlink time-of-check-to-ti...↗2018

▶