1. CVE-Search
  2. CVE-2018-19582
ID CVE-2018-19582
Summary GitLab EE, versions 11.4 before 11.4.8 and 11.5 before 11.5.1, is affected by an insecure direct object reference vulnerability that permits an unauthorized user to publish the draft merge request comments of another user.
References
Vulnerable Configurations
  • cpe:2.3:a:gitlab:gitlab:11.4.0:*:*:*:enterprise:*:*:*
    cpe:2.3:a:gitlab:gitlab:11.4.0:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:gitlab:gitlab:11.4.1:*:*:*:enterprise:*:*:*
    cpe:2.3:a:gitlab:gitlab:11.4.1:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:gitlab:gitlab:11.4.2:*:*:*:enterprise:*:*:*
    cpe:2.3:a:gitlab:gitlab:11.4.2:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:gitlab:gitlab:11.4.3:*:*:*:enterprise:*:*:*
    cpe:2.3:a:gitlab:gitlab:11.4.3:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:gitlab:gitlab:11.4.4:*:*:*:enterprise:*:*:*
    cpe:2.3:a:gitlab:gitlab:11.4.4:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:gitlab:gitlab:11.4.5:*:*:*:enterprise:*:*:*
    cpe:2.3:a:gitlab:gitlab:11.4.5:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:gitlab:gitlab:11.4.6:*:*:*:enterprise:*:*:*
    cpe:2.3:a:gitlab:gitlab:11.4.6:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:gitlab:gitlab:11.4.7:*:*:*:enterprise:*:*:*
    cpe:2.3:a:gitlab:gitlab:11.4.7:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:gitlab:gitlab:11.5.0:*:*:*:enterprise:*:*:*
    cpe:2.3:a:gitlab:gitlab:11.5.0:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:gitlab:gitlab:11.5.0:-:*:*:enterprise:*:*:*
    cpe:2.3:a:gitlab:gitlab:11.5.0:-:*:*:enterprise:*:*:*
  • cpe:2.3:a:gitlab:gitlab:11.5.0:rc1:*:*:enterprise:*:*:*
    cpe:2.3:a:gitlab:gitlab:11.5.0:rc1:*:*:enterprise:*:*:*
  • cpe:2.3:a:gitlab:gitlab:11.5.0:rc10:*:*:enterprise:*:*:*
    cpe:2.3:a:gitlab:gitlab:11.5.0:rc10:*:*:enterprise:*:*:*
  • cpe:2.3:a:gitlab:gitlab:11.5.0:rc11:*:*:enterprise:*:*:*
    cpe:2.3:a:gitlab:gitlab:11.5.0:rc11:*:*:enterprise:*:*:*
  • cpe:2.3:a:gitlab:gitlab:11.5.0:rc12:*:*:enterprise:*:*:*
    cpe:2.3:a:gitlab:gitlab:11.5.0:rc12:*:*:enterprise:*:*:*
  • cpe:2.3:a:gitlab:gitlab:11.5.0:rc13:*:*:enterprise:*:*:*
    cpe:2.3:a:gitlab:gitlab:11.5.0:rc13:*:*:enterprise:*:*:*
  • cpe:2.3:a:gitlab:gitlab:11.5.0:rc2:*:*:enterprise:*:*:*
    cpe:2.3:a:gitlab:gitlab:11.5.0:rc2:*:*:enterprise:*:*:*
  • cpe:2.3:a:gitlab:gitlab:11.5.0:rc3:*:*:enterprise:*:*:*
    cpe:2.3:a:gitlab:gitlab:11.5.0:rc3:*:*:enterprise:*:*:*
  • cpe:2.3:a:gitlab:gitlab:11.5.0:rc4:*:*:enterprise:*:*:*
    cpe:2.3:a:gitlab:gitlab:11.5.0:rc4:*:*:enterprise:*:*:*
  • cpe:2.3:a:gitlab:gitlab:11.5.0:rc5:*:*:enterprise:*:*:*
    cpe:2.3:a:gitlab:gitlab:11.5.0:rc5:*:*:enterprise:*:*:*
  • cpe:2.3:a:gitlab:gitlab:11.5.0:rc6:*:*:enterprise:*:*:*
    cpe:2.3:a:gitlab:gitlab:11.5.0:rc6:*:*:enterprise:*:*:*
  • cpe:2.3:a:gitlab:gitlab:11.5.0:rc7:*:*:enterprise:*:*:*
    cpe:2.3:a:gitlab:gitlab:11.5.0:rc7:*:*:enterprise:*:*:*
  • cpe:2.3:a:gitlab:gitlab:11.5.0:rc8:*:*:enterprise:*:*:*
    cpe:2.3:a:gitlab:gitlab:11.5.0:rc8:*:*:enterprise:*:*:*
  • cpe:2.3:a:gitlab:gitlab:11.5.0:rc9:*:*:enterprise:*:*:*
    cpe:2.3:a:gitlab:gitlab:11.5.0:rc9:*:*:enterprise:*:*:*
CVSS
Base: 4.0 (as of 24-08-2020 - 17:37)
Impact:
Exploitability:
CWE CWE-639
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:N/AC:L/Au:S/C:P/I:N/A:N
refmap via4
confirm https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/
misc https://gitlab.com/gitlab-org/gitlab-ee/issues/8180
Last major update 24-08-2020 - 17:37
Published 10-07-2019 - 17:15
Last modified 24-08-2020 - 17:37
Back to Top