Access Control Vulnerability in GitLab Community and Enterprise Editions
CVE-2019-15590

7.5HIGH

Key Information:

Vendor: Gitlab
Status: Gitlab Ee
Vendor: CVE Published:; 28 January 2020

Summary

An access control flaw has been identified in specific versions of GitLab Community and Enterprise Editions, where private merge requests and issues may inadvertently be exposed through the Group Search functionality enabled by Elasticsearch integration. This vulnerability poses a risk to user privacy and data confidentiality, allowing unauthorized access to sensitive information if not addressed promptly. Users of affected versions should consider upgrading to the latest versions to mitigate the risks associated with this security issue.

Affected Version(s)

GitLab EE before 12.3.5

GitLab EE before 12.2.8

GitLab EE before 12.1.14

References

https://hackerone.com/reports/701144

x_refsource_MISC

https://about.gitlab.com/releases/2019/10/07/security-rel...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 28, 2020
Vulnerability Reserved
Aug 26, 2019