CVE-2019-19312 — Sensitive Information Exposure in Gitlab

CWE-200 — Sensitive Information Exposure4 documents4 sources

Severity

5.8MEDIUMNVD

EPSS

0.2%

top 60.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab EE

Timeline

PublishedJan 5

Latest updateMay 24

Description

GitLab EE 8.14 through 12.5, 12.4.3, and 12.3.6 has Incorrect Access Control. After a project changed to private, previously forked repositories were still able to get information about the private project through the API.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

▶NVDgitlab/gitlab8.14.0 — 12.3.8+2

▶debiandebian/gitlab

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ee

🔴Vulnerability Details

GHSA

GHSA-6955-m4p2-35rh: GitLab EE 8↗2022-05-24

▶

📋Vendor Advisories

GitLab

CVE-2019-19312: GitLab EE 8.14 through 12.5, 12.4.3, and 12.3.6 has Incorrect Access Control. After a project changed to private, previously forked repositories were↗2020-01-05

▶

Debian

CVE-2019-19312: gitlab - GitLab EE 8.14 through 12.5, 12.4.3, and 12.3.6 has Incorrect Access Control. Af...↗2019

▶