CVE-2019-15590

CWE-284 — Improper Access Control5 documents5 sources

Severity

7.5HIGH

EPSS

0.1%

top 70.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Gitlab Gitlab Gitlab EE

Timeline

PublishedJan 28

Latest updateMay 24

Description

An access control issue exists in < 12.3.5, < 12.2.8, and < 12.1.14 for GitLab Community Edition (CE) and Enterprise Edition (EE) where private merge requests and issues would be disclosed with the Group Search feature provided by Elasticsearch integration

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDgitlab/gitlab12.1.0 — 12.1.14+2

▶CVEListV5gitlab/gitlab_eebefore 12.1.14, before 12.2.8, before 12.3.5+2

🔴Vulnerability Details

GHSA

GHSA-83w3-58xf-86mr: An access control issue exists in < 12↗2022-05-24

▶

CVEList

CVE-2019-15590: An access control issue exists in < 12↗2020-01-28

▶

📋Vendor Advisories

GitLab

CVE-2019-15590: An access control issue exists in < 12.3.5, < 12.2.8, and < 12.1.14 for GitLab Community Edition (CE) and Enterprise Edition (EE) where private merge↗2020-01-28

▶

Debian

CVE-2019-15590: gitlab - An access control issue exists in < 12.3.5, < 12.2.8, and < 12.1.14 for GitLab C...↗2019

▶