CVE-2019-19629 — Sensitive Information Exposure in Gitlab

CWE-200 — Sensitive Information Exposure4 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 74.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab EE

Timeline

PublishedJan 5

Latest updateMay 24

Description

In GitLab EE 10.5 through 12.5.3, 12.4.5, and 12.3.8, when transferring a public project to a private group, private code would be disclosed via the Group Search API provided by the Elasticsearch integration.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDgitlab/gitlab10.5.0 — 12.3.8+2

▶debiandebian/gitlab

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ee

🔴Vulnerability Details

GHSA

GHSA-9338-7cq4-hm8v: In GitLab EE 10↗2022-05-24

▶

📋Vendor Advisories

GitLab

CVE-2019-19629: In GitLab EE 10.5 through 12.5.3, 12.4.5, and 12.3.8, when transferring a public project to a private group, private code would be disclosed via the G↗2020-01-05

▶

Debian

CVE-2019-19629: gitlab - In GitLab EE 10.5 through 12.5.3, 12.4.5, and 12.3.8, when transferring a public...↗2019

▶