CVE-2019-5462 — Insufficient Session Expiration in Gitlab

CWE-613 — Insufficient Session Expiration4 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.4%

top 36.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab Community Edition AND Gitlab Enterprise Edition +1 more

Timeline

PublishedJan 28

Latest updateMay 24

Description

A privilege escalation issue was discovered in GitLab CE/EE 9.0 and later when trigger tokens are not rotated once ownership of them has changed.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages5 packages

▶NVDgitlab/gitlab9.0.0 — 11.11.7

▶debiandebian/gitlab< gitlab 12.6.8-3 (sid)

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

▶CVEListV5gitlab/gitlab_community_edition_and_gitlab_enterprise_editionAffects GitLab CE/EE 9.0 and later, Fixed in 12.1.2 in 12.0.4 and in 11.11.6+1

Patches

Patch: about.gitlab.com ↗Patch: about.gitlab.com ↗

🔴Vulnerability Details

GHSA

GHSA-qg3j-4m32-rxh8: A privilege escalation issue was discovered in GitLab CE/EE 9↗2022-05-24

▶

📋Vendor Advisories

GitLab

CVE-2019-5462: A privilege escalation issue was discovered in GitLab CE/EE 9.0 and later when trigger tokens are not rotated once ownership of them has changed.↗2020-01-28

▶

Debian

CVE-2019-5462: gitlab - A privilege escalation issue was discovered in GitLab CE/EE 9.0 and later when t...↗2019

▶