CVE-2019-15580 — Sensitive Info Insertion into Sent Data in Gitlab

CWE-201 — Sensitive Info Insertion into Sent Data CWE-200 — Sensitive Information Exposure4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 53.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab

Timeline

PublishedDec 18

Latest updateMay 24

Description

An information exposure vulnerability exists in gitlab.com <v12.3.2, <v12.2.6, and <v12.1.10 when using the blocking merge request feature, it was possible for an unauthenticated user to see the head pipeline data of a public project even though pipeline visibility was restricted.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDgitlab/gitlab12.2.0 — 12.2.6+2

▶debiandebian/gitlab

▶gitlabgitlab/gitlab

🔴Vulnerability Details

GHSA

GHSA-cfp2-8mw9-wg68: An information exposure vulnerability exists in gitlab↗2022-05-24

▶

📋Vendor Advisories

GitLab

CVE-2019-15580: An information exposure vulnerability exists in gitlab.com <v12.3.2, <v12.2.6, and <v12.1.10 when using the blocking merge request feature, it was pos↗2019-12-18

▶

Debian

CVE-2019-15580: gitlab - An information exposure vulnerability exists in gitlab.com <v12.3.2, <v12.2.6, a...↗2019

▶