Authorization Issue in GitLab EE Affects Merge Request Approval Processes
CVE-2019-5474

6.5MEDIUM

Key Information:

Vendor
Gitlab
Status
Gitlab Ee
Vendor
CVE Published:
28 January 2020

Summary

An authorization flaw has been identified in versions of GitLab EE prior to 12.1.2, 12.0.4, and 11.11.6, which enables the potential for unauthorized users to override merge request approval rules. This vulnerability could have significant implications for repository management and project integrity, allowing individuals without appropriate permissions to manipulate approval workflows.

Affected Version(s)

GitLab EE before 12.1.2

GitLab EE before 12.0.4

GitLab EE before 11.11.6

References

https://about.gitlab.com/releases/2019/07/29/security-rel...
x_refsource_MISC
https://hackerone.com/reports/544756
x_refsource_MISC
https://gitlab.com/gitlab-org/gitlab-ee/issues/11423
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.