Vulnerabilites related to GitLab - GitLab EE
cve-2020-13349
Vulnerability from cvelistv5
Published
2020-11-17 18:22
Modified
2024-08-04 12:18
Severity ?
EPSS score ?
Summary
An issue has been discovered in GitLab EE affecting all versions starting from 8.12. A regular expression related to a file path resulted in the Advanced Search feature susceptible to catastrophic backtracking. Affected versions are >=8.12, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://gitlab.com/gitlab-org/gitlab/-/issues/257497 | x_refsource_MISC | |
| https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13349.json | x_refsource_CONFIRM |
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T12:18:17.565Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://gitlab.com/gitlab-org/gitlab/-/issues/257497", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13349.json", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "GitLab EE", vendor: "GitLab", versions: [ { status: "affected", version: ">=8.12", }, { status: "affected", version: "<13.3.9", }, { status: "affected", version: ">=13.4", }, { status: "affected", version: "<13.4.5", }, { status: "affected", version: ">=13.5", }, { status: "affected", version: "<13.5.2", }, ], }, ], credits: [ { lang: "en", value: "This vulnerability has been discovered internally by the GitLab team", }, ], descriptions: [ { lang: "en", value: "An issue has been discovered in GitLab EE affecting all versions starting from 8.12. A regular expression related to a file path resulted in the Advanced Search feature susceptible to catastrophic backtracking. Affected versions are >=8.12, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { description: "Uncontrolled resource consumption in GitLab", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-11-17T18:22:32", orgId: "ceab7361-8a18-47b1-92ba-4d7d25f6715a", shortName: "GitLab", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://gitlab.com/gitlab-org/gitlab/-/issues/257497", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13349.json", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@gitlab.com", ID: "CVE-2020-13349", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "GitLab EE", version: { version_data: [ { version_value: ">=8.12", }, { version_value: "<13.3.9", }, { version_value: ">=13.4", }, { version_value: "<13.4.5", }, { version_value: ">=13.5", }, { version_value: "<13.5.2", }, ], }, }, ], }, vendor_name: "GitLab", }, ], }, }, credit: [ { lang: "eng", value: "This vulnerability has been discovered internally by the GitLab team", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "An issue has been discovered in GitLab EE affecting all versions starting from 8.12. A regular expression related to a file path resulted in the Advanced Search feature susceptible to catastrophic backtracking. Affected versions are >=8.12, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.", }, ], }, impact: { cvss: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 4.2, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Uncontrolled resource consumption in GitLab", }, ], }, ], }, references: { reference_data: [ { name: "https://gitlab.com/gitlab-org/gitlab/-/issues/257497", refsource: "MISC", url: "https://gitlab.com/gitlab-org/gitlab/-/issues/257497", }, { name: "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13349.json", refsource: "CONFIRM", url: "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13349.json", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "ceab7361-8a18-47b1-92ba-4d7d25f6715a", assignerShortName: "GitLab", cveId: "CVE-2020-13349", datePublished: "2020-11-17T18:22:32", dateReserved: "2020-05-21T00:00:00", dateUpdated: "2024-08-04T12:18:17.565Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-22240
Vulnerability from cvelistv5
Published
2021-08-05 19:25
Modified
2024-08-03 18:37
Severity ?
EPSS score ?
Summary
Improper access control in GitLab EE versions 13.11.6, 13.12.6, and 14.0.2 allows users to be created via single sign on despite user cap being enabled
References
| ▼ | URL | Tags |
|---|---|---|
| https://gitlab.com/gitlab-org/gitlab/-/issues/327641 | x_refsource_MISC | |
| https://hackerone.com/reports/1166566 | x_refsource_MISC | |
| https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22240.json | x_refsource_CONFIRM |
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T18:37:18.341Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://gitlab.com/gitlab-org/gitlab/-/issues/327641", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://hackerone.com/reports/1166566", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22240.json", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "GitLab EE", vendor: "GitLab", versions: [ { status: "affected", version: ">=13.7, <13.11.6", }, { status: "affected", version: ">=13.12, <13.12.6", }, { status: "affected", version: ">=14.0, <14.0.2", }, ], }, ], credits: [ { lang: "en", value: "Thanks bingomzan for reporting this vulnerability through our HackerOne bug bounty program", }, ], descriptions: [ { lang: "en", value: "Improper access control in GitLab EE versions 13.11.6, 13.12.6, and 14.0.2 allows users to be created via single sign on despite user cap being enabled", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.2, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { description: "Improper access control in GitLab EE", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-08-05T19:25:09", orgId: "ceab7361-8a18-47b1-92ba-4d7d25f6715a", shortName: "GitLab", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://gitlab.com/gitlab-org/gitlab/-/issues/327641", }, { tags: [ "x_refsource_MISC", ], url: "https://hackerone.com/reports/1166566", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22240.json", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@gitlab.com", ID: "CVE-2021-22240", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "GitLab EE", version: { version_data: [ { version_value: ">=13.7, <13.11.6", }, { version_value: ">=13.12, <13.12.6", }, { version_value: ">=14.0, <14.0.2", }, ], }, }, ], }, vendor_name: "GitLab", }, ], }, }, credit: [ { lang: "eng", value: "Thanks bingomzan for reporting this vulnerability through our HackerOne bug bounty program", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Improper access control in GitLab EE versions 13.11.6, 13.12.6, and 14.0.2 allows users to be created via single sign on despite user cap being enabled", }, ], }, impact: { cvss: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Improper access control in GitLab EE", }, ], }, ], }, references: { reference_data: [ { name: "https://gitlab.com/gitlab-org/gitlab/-/issues/327641", refsource: "MISC", url: "https://gitlab.com/gitlab-org/gitlab/-/issues/327641", }, { name: "https://hackerone.com/reports/1166566", refsource: "MISC", url: "https://hackerone.com/reports/1166566", }, { name: "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22240.json", refsource: "CONFIRM", url: "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22240.json", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "ceab7361-8a18-47b1-92ba-4d7d25f6715a", assignerShortName: "GitLab", cveId: "CVE-2021-22240", datePublished: "2021-08-05T19:25:09", dateReserved: "2021-01-05T00:00:00", dateUpdated: "2024-08-03T18:37:18.341Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2019-15582
Vulnerability from cvelistv5
Published
2020-01-28 02:36
Modified
2024-08-05 00:49
Severity ?
EPSS score ?
Summary
An IDOR was discovered in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a maintainer to add any private group to a protected environment.
References
| ▼ | URL | Tags |
|---|---|---|
| https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/ | x_refsource_MISC | |
| https://hackerone.com/reports/566216 | x_refsource_MISC |
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T00:49:13.762Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://hackerone.com/reports/566216", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "GitLab EE", vendor: "GitLab", versions: [ { status: "affected", version: "before 12.3.2", }, { status: "affected", version: "before 12.2.6", }, { status: "affected", version: "before 12.1.12", }, ], }, ], descriptions: [ { lang: "en", value: "An IDOR was discovered in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a maintainer to add any private group to a protected environment.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-639", description: "Insecure Direct Object Reference (IDOR) (CWE-639)", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2020-01-28T02:36:05", orgId: "36234546-b8fa-4601-9d6f-f4e334aa8ea1", shortName: "hackerone", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/", }, { tags: [ "x_refsource_MISC", ], url: "https://hackerone.com/reports/566216", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "support@hackerone.com", ID: "CVE-2019-15582", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "GitLab EE", version: { version_data: [ { version_value: "before 12.3.2", }, { version_value: "before 12.2.6", }, { version_value: "before 12.1.12", }, ], }, }, ], }, vendor_name: "GitLab", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "An IDOR was discovered in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a maintainer to add any private group to a protected environment.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Insecure Direct Object Reference (IDOR) (CWE-639)", }, ], }, ], }, references: { reference_data: [ { name: "https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/", refsource: "MISC", url: "https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/", }, { name: "https://hackerone.com/reports/566216", refsource: "MISC", url: "https://hackerone.com/reports/566216", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "36234546-b8fa-4601-9d6f-f4e334aa8ea1", assignerShortName: "hackerone", cveId: "CVE-2019-15582", datePublished: "2020-01-28T02:36:05", dateReserved: "2019-08-26T00:00:00", dateUpdated: "2024-08-05T00:49:13.762Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2019-15581
Vulnerability from cvelistv5
Published
2020-01-28 02:43
Modified
2024-08-05 00:49
Severity ?
EPSS score ?
Summary
An IDOR exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a project owner or maintainer to see the members of any private group via merge request approval rules.
References
| ▼ | URL | Tags |
|---|---|---|
| https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/ | x_refsource_MISC | |
| https://hackerone.com/reports/518995 | x_refsource_MISC |
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T00:49:13.763Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://hackerone.com/reports/518995", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "GitLab EE", vendor: "GitLab", versions: [ { status: "affected", version: "before 12.3.2", }, { status: "affected", version: "before 12.2.6", }, { status: "affected", version: "before 12.1.12", }, ], }, ], descriptions: [ { lang: "en", value: "An IDOR exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a project owner or maintainer to see the members of any private group via merge request approval rules.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-639", description: "Insecure Direct Object Reference (IDOR) (CWE-639)", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2020-01-28T02:43:00", orgId: "36234546-b8fa-4601-9d6f-f4e334aa8ea1", shortName: "hackerone", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/", }, { tags: [ "x_refsource_MISC", ], url: "https://hackerone.com/reports/518995", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "support@hackerone.com", ID: "CVE-2019-15581", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "GitLab EE", version: { version_data: [ { version_value: "before 12.3.2", }, { version_value: "before 12.2.6", }, { version_value: "before 12.1.12", }, ], }, }, ], }, vendor_name: "GitLab", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "An IDOR exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a project owner or maintainer to see the members of any private group via merge request approval rules.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Insecure Direct Object Reference (IDOR) (CWE-639)", }, ], }, ], }, references: { reference_data: [ { name: "https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/", refsource: "MISC", url: "https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/", }, { name: "https://hackerone.com/reports/518995", refsource: "MISC", url: "https://hackerone.com/reports/518995", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "36234546-b8fa-4601-9d6f-f4e334aa8ea1", assignerShortName: "hackerone", cveId: "CVE-2019-15581", datePublished: "2020-01-28T02:43:00", dateReserved: "2019-08-26T00:00:00", dateUpdated: "2024-08-05T00:49:13.763Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2019-5474
Vulnerability from cvelistv5
Published
2020-01-28 02:29
Modified
2024-08-04 19:54
Severity ?
EPSS score ?
Summary
An authorization issue was discovered in GitLab EE < 12.1.2, < 12.0.4, and < 11.11.6 allowing the merge request approval rules to be overridden without appropriate permissions.
References
| ▼ | URL | Tags |
|---|---|---|
| https://about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/ | x_refsource_MISC | |
| https://hackerone.com/reports/544756 | x_refsource_MISC | |
| https://gitlab.com/gitlab-org/gitlab-ee/issues/11423 | x_refsource_MISC |
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T19:54:53.488Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://hackerone.com/reports/544756", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://gitlab.com/gitlab-org/gitlab-ee/issues/11423", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "GitLab EE", vendor: "GitLab", versions: [ { status: "affected", version: "before 12.1.2", }, { status: "affected", version: "before 12.0.4", }, { status: "affected", version: "before 11.11.6", }, ], }, ], descriptions: [ { lang: "en", value: "An authorization issue was discovered in GitLab EE < 12.1.2, < 12.0.4, and < 11.11.6 allowing the merge request approval rules to be overridden without appropriate permissions.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-284", description: "Improper Access Control - Generic (CWE-284)", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2020-01-28T02:29:38", orgId: "36234546-b8fa-4601-9d6f-f4e334aa8ea1", shortName: "hackerone", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/", }, { tags: [ "x_refsource_MISC", ], url: "https://hackerone.com/reports/544756", }, { tags: [ "x_refsource_MISC", ], url: "https://gitlab.com/gitlab-org/gitlab-ee/issues/11423", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "support@hackerone.com", ID: "CVE-2019-5474", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "GitLab EE", version: { version_data: [ { version_value: "before 12.1.2", }, { version_value: "before 12.0.4", }, { version_value: "before 11.11.6", }, ], }, }, ], }, vendor_name: "GitLab", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "An authorization issue was discovered in GitLab EE < 12.1.2, < 12.0.4, and < 11.11.6 allowing the merge request approval rules to be overridden without appropriate permissions.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Improper Access Control - Generic (CWE-284)", }, ], }, ], }, references: { reference_data: [ { name: "https://about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/", refsource: "MISC", url: "https://about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/", }, { name: "https://hackerone.com/reports/544756", refsource: "MISC", url: "https://hackerone.com/reports/544756", }, { name: "https://gitlab.com/gitlab-org/gitlab-ee/issues/11423", refsource: "MISC", url: "https://gitlab.com/gitlab-org/gitlab-ee/issues/11423", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "36234546-b8fa-4601-9d6f-f4e334aa8ea1", assignerShortName: "hackerone", cveId: "CVE-2019-5474", datePublished: "2020-01-28T02:29:38", dateReserved: "2019-01-04T00:00:00", dateUpdated: "2024-08-04T19:54:53.488Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-13348
Vulnerability from cvelistv5
Published
2020-11-17 18:11
Modified
2024-08-04 12:18
Severity ?
EPSS score ?
Summary
An issue has been discovered in GitLab EE affecting all versions starting from 10.2. Required CODEOWNERS approval could be bypassed by targeting a branch without the CODEOWNERS file. Affected versions are >=10.2, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://gitlab.com/gitlab-org/gitlab/-/issues/246928 | x_refsource_MISC | |
| https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13348.json | x_refsource_CONFIRM |
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T12:18:17.574Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://gitlab.com/gitlab-org/gitlab/-/issues/246928", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13348.json", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "GitLab EE", vendor: "GitLab", versions: [ { status: "affected", version: ">=10.2, <13.3.9", }, { status: "affected", version: ">=13.4, <13.4.5", }, { status: "affected", version: ">=13.5, <13.5.2", }, ], }, ], credits: [ { lang: "en", value: "This vulnerability has been discovered internally by the GitLab team", }, ], descriptions: [ { lang: "en", value: "An issue has been discovered in GitLab EE affecting all versions starting from 10.2. Required CODEOWNERS approval could be bypassed by targeting a branch without the CODEOWNERS file. Affected versions are >=10.2, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.7, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { description: "Improper authorization in GitLab EE", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-11-17T18:11:51", orgId: "ceab7361-8a18-47b1-92ba-4d7d25f6715a", shortName: "GitLab", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://gitlab.com/gitlab-org/gitlab/-/issues/246928", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13348.json", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@gitlab.com", ID: "CVE-2020-13348", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "GitLab EE", version: { version_data: [ { version_value: ">=10.2, <13.3.9", }, { version_value: ">=13.4, <13.4.5", }, { version_value: ">=13.5, <13.5.2", }, ], }, }, ], }, vendor_name: "GitLab", }, ], }, }, credit: [ { lang: "eng", value: "This vulnerability has been discovered internally by the GitLab team", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "An issue has been discovered in GitLab EE affecting all versions starting from 10.2. Required CODEOWNERS approval could be bypassed by targeting a branch without the CODEOWNERS file. Affected versions are >=10.2, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.", }, ], }, impact: { cvss: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.7, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Improper authorization in GitLab EE", }, ], }, ], }, references: { reference_data: [ { name: "https://gitlab.com/gitlab-org/gitlab/-/issues/246928", refsource: "MISC", url: "https://gitlab.com/gitlab-org/gitlab/-/issues/246928", }, { name: "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13348.json", refsource: "CONFIRM", url: "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13348.json", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "ceab7361-8a18-47b1-92ba-4d7d25f6715a", assignerShortName: "GitLab", cveId: "CVE-2020-13348", datePublished: "2020-11-17T18:11:51", dateReserved: "2020-05-21T00:00:00", dateUpdated: "2024-08-04T12:18:17.574Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-26416
Vulnerability from cvelistv5
Published
2020-12-11 03:34
Modified
2024-08-04 15:56
Severity ?
EPSS score ?
Summary
Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions >=8.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://gitlab.com/gitlab-org/gitlab/-/issues/244495 | x_refsource_MISC | |
| https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26416.json | x_refsource_CONFIRM |
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T15:56:04.341Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://gitlab.com/gitlab-org/gitlab/-/issues/244495", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26416.json", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "GitLab EE", vendor: "GitLab", versions: [ { status: "affected", version: ">=8.4 to <13.4.7", }, { status: "affected", version: ">=13.5 to <13.5.5", }, { status: "affected", version: ">=13.6 to <13.6.2", }, ], }, ], credits: [ { lang: "en", value: "This vulnerability has been discovered internally by the GitLab team", }, ], descriptions: [ { lang: "en", value: "Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions >=8.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 4, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { description: "Information exposure in GitLab EE", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-12-11T03:34:03", orgId: "ceab7361-8a18-47b1-92ba-4d7d25f6715a", shortName: "GitLab", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://gitlab.com/gitlab-org/gitlab/-/issues/244495", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26416.json", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@gitlab.com", ID: "CVE-2020-26416", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "GitLab EE", version: { version_data: [ { version_value: ">=8.4 to <13.4.7", }, { version_value: ">=13.5 to <13.5.5", }, { version_value: ">=13.6 to <13.6.2", }, ], }, }, ], }, vendor_name: "GitLab", }, ], }, }, credit: [ { lang: "eng", value: "This vulnerability has been discovered internally by the GitLab team", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions >=8.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.", }, ], }, impact: { cvss: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 3.9, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Information exposure in GitLab EE", }, ], }, ], }, references: { reference_data: [ { name: "https://gitlab.com/gitlab-org/gitlab/-/issues/244495", refsource: "MISC", url: "https://gitlab.com/gitlab-org/gitlab/-/issues/244495", }, { name: "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26416.json", refsource: "CONFIRM", url: "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26416.json", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "ceab7361-8a18-47b1-92ba-4d7d25f6715a", assignerShortName: "GitLab", cveId: "CVE-2020-26416", datePublished: "2020-12-11T03:34:03", dateReserved: "2020-10-01T00:00:00", dateUpdated: "2024-08-04T15:56:04.341Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-26406
Vulnerability from cvelistv5
Published
2020-11-17 00:13
Modified
2024-08-04 15:56
Severity ?
EPSS score ?
Summary
Certain SAST CiConfiguration information could be viewed by unauthorized users in GitLab EE starting with 13.3. This information was exposed through GraphQL to non-members of public projects with repository visibility restricted as well as guest members on private projects. Affected versions are: >=13.3, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://gitlab.com/gitlab-org/gitlab/-/issues/244921 | x_refsource_MISC | |
| https://hackerone.com/reports/965602 | x_refsource_MISC | |
| https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26406.json | x_refsource_CONFIRM |
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T15:56:04.397Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://gitlab.com/gitlab-org/gitlab/-/issues/244921", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://hackerone.com/reports/965602", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26406.json", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "GitLab EE", vendor: "GitLab", versions: [ { status: "affected", version: ">=13.3, <13.3.9", }, { status: "affected", version: ">=13.4, <13.4.5", }, { status: "affected", version: ">=13.5, <13.5.2", }, ], }, ], credits: [ { lang: "en", value: "Thanks [ashish_r_padelkar](https://hackerone.com/ashish_r_padelkar) for reporting this vulnerability through our HackerOne bug bounty program", }, ], descriptions: [ { lang: "en", value: "Certain SAST CiConfiguration information could be viewed by unauthorized users in GitLab EE starting with 13.3. This information was exposed through GraphQL to non-members of public projects with repository visibility restricted as well as guest members on private projects. Affected versions are: >=13.3, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { description: "Information exposure in GitLab EE", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-11-17T00:13:19", orgId: "ceab7361-8a18-47b1-92ba-4d7d25f6715a", shortName: "GitLab", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://gitlab.com/gitlab-org/gitlab/-/issues/244921", }, { tags: [ "x_refsource_MISC", ], url: "https://hackerone.com/reports/965602", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26406.json", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@gitlab.com", ID: "CVE-2020-26406", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "GitLab EE", version: { version_data: [ { version_value: ">=13.3, <13.3.9", }, { version_value: ">=13.4, <13.4.5", }, { version_value: ">=13.5, <13.5.2", }, ], }, }, ], }, vendor_name: "GitLab", }, ], }, }, credit: [ { lang: "eng", value: "Thanks [ashish_r_padelkar](https://hackerone.com/ashish_r_padelkar) for reporting this vulnerability through our HackerOne bug bounty program", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Certain SAST CiConfiguration information could be viewed by unauthorized users in GitLab EE starting with 13.3. This information was exposed through GraphQL to non-members of public projects with repository visibility restricted as well as guest members on private projects. Affected versions are: >=13.3, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.", }, ], }, impact: { cvss: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Information exposure in GitLab EE", }, ], }, ], }, references: { reference_data: [ { name: "https://gitlab.com/gitlab-org/gitlab/-/issues/244921", refsource: "MISC", url: "https://gitlab.com/gitlab-org/gitlab/-/issues/244921", }, { name: "https://hackerone.com/reports/965602", refsource: "MISC", url: "https://hackerone.com/reports/965602", }, { name: "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26406.json", refsource: "CONFIRM", url: "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26406.json", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "ceab7361-8a18-47b1-92ba-4d7d25f6715a", assignerShortName: "GitLab", cveId: "CVE-2020-26406", datePublished: "2020-11-17T00:13:19", dateReserved: "2020-10-01T00:00:00", dateUpdated: "2024-08-04T15:56:04.397Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-26412
Vulnerability from cvelistv5
Published
2020-12-11 03:51
Modified
2024-08-04 15:56
Severity ?
EPSS score ?
Summary
Removed group members were able to use the To-Do functionality to retrieve updated information on confidential epics starting in GitLab EE 13.2 before 13.6.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://gitlab.com/gitlab-org/gitlab/-/issues/228670 | x_refsource_MISC | |
| https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26412.json | x_refsource_CONFIRM |
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T15:56:04.357Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://gitlab.com/gitlab-org/gitlab/-/issues/228670", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26412.json", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "GitLab EE", vendor: "GitLab", versions: [ { status: "affected", version: ">=13.2, <13.4.7", }, { status: "affected", version: ">=13.5, <13.5.5", }, { status: "affected", version: ">=13.6, <13.6.2", }, ], }, ], credits: [ { lang: "en", value: "This vulnerability has been discovered internally by the GitLab team", }, ], descriptions: [ { lang: "en", value: "Removed group members were able to use the To-Do functionality to retrieve updated information on confidential epics starting in GitLab EE 13.2 before 13.6.2.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.1, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { description: "Information exposure in GitLab EE", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-12-11T03:51:02", orgId: "ceab7361-8a18-47b1-92ba-4d7d25f6715a", shortName: "GitLab", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://gitlab.com/gitlab-org/gitlab/-/issues/228670", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26412.json", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@gitlab.com", ID: "CVE-2020-26412", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "GitLab EE", version: { version_data: [ { version_value: ">=13.2, <13.4.7", }, { version_value: ">=13.5, <13.5.5", }, { version_value: ">=13.6, <13.6.2", }, ], }, }, ], }, vendor_name: "GitLab", }, ], }, }, credit: [ { lang: "eng", value: "This vulnerability has been discovered internally by the GitLab team", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Removed group members were able to use the To-Do functionality to retrieve updated information on confidential epics starting in GitLab EE 13.2 before 13.6.2.", }, ], }, impact: { cvss: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Information exposure in GitLab EE", }, ], }, ], }, references: { reference_data: [ { name: "https://gitlab.com/gitlab-org/gitlab/-/issues/228670", refsource: "MISC", url: "https://gitlab.com/gitlab-org/gitlab/-/issues/228670", }, { name: "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26412.json", refsource: "CONFIRM", url: "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26412.json", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "ceab7361-8a18-47b1-92ba-4d7d25f6715a", assignerShortName: "GitLab", cveId: "CVE-2020-26412", datePublished: "2020-12-11T03:51:02", dateReserved: "2020-10-01T00:00:00", dateUpdated: "2024-08-04T15:56:04.357Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2019-15590
Vulnerability from cvelistv5
Published
2020-01-28 02:31
Modified
2024-08-05 00:49
Severity ?
EPSS score ?
Summary
An access control issue exists in < 12.3.5, < 12.2.8, and < 12.1.14 for GitLab Community Edition (CE) and Enterprise Edition (EE) where private merge requests and issues would be disclosed with the Group Search feature provided by Elasticsearch integration
References
| ▼ | URL | Tags |
|---|---|---|
| https://hackerone.com/reports/701144 | x_refsource_MISC | |
| https://about.gitlab.com/releases/2019/10/07/security-release-gitlab-12-dot-3-dot-5-released/ | x_refsource_MISC |
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T00:49:13.635Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://hackerone.com/reports/701144", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://about.gitlab.com/releases/2019/10/07/security-release-gitlab-12-dot-3-dot-5-released/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "GitLab EE", vendor: "GitLab", versions: [ { status: "affected", version: "before 12.3.5", }, { status: "affected", version: "before 12.2.8", }, { status: "affected", version: "before 12.1.14", }, ], }, ], descriptions: [ { lang: "en", value: "An access control issue exists in < 12.3.5, < 12.2.8, and < 12.1.14 for GitLab Community Edition (CE) and Enterprise Edition (EE) where private merge requests and issues would be disclosed with the Group Search feature provided by Elasticsearch integration", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-284", description: "Improper Access Control - Generic (CWE-284)", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2020-01-28T02:31:05", orgId: "36234546-b8fa-4601-9d6f-f4e334aa8ea1", shortName: "hackerone", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://hackerone.com/reports/701144", }, { tags: [ "x_refsource_MISC", ], url: "https://about.gitlab.com/releases/2019/10/07/security-release-gitlab-12-dot-3-dot-5-released/", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "support@hackerone.com", ID: "CVE-2019-15590", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "GitLab EE", version: { version_data: [ { version_value: "before 12.3.5", }, { version_value: "before 12.2.8", }, { version_value: "before 12.1.14", }, ], }, }, ], }, vendor_name: "GitLab", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "An access control issue exists in < 12.3.5, < 12.2.8, and < 12.1.14 for GitLab Community Edition (CE) and Enterprise Edition (EE) where private merge requests and issues would be disclosed with the Group Search feature provided by Elasticsearch integration", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Improper Access Control - Generic (CWE-284)", }, ], }, ], }, references: { reference_data: [ { name: "https://hackerone.com/reports/701144", refsource: "MISC", url: "https://hackerone.com/reports/701144", }, { name: "https://about.gitlab.com/releases/2019/10/07/security-release-gitlab-12-dot-3-dot-5-released/", refsource: "MISC", url: "https://about.gitlab.com/releases/2019/10/07/security-release-gitlab-12-dot-3-dot-5-released/", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "36234546-b8fa-4601-9d6f-f4e334aa8ea1", assignerShortName: "hackerone", cveId: "CVE-2019-15590", datePublished: "2020-01-28T02:31:05", dateReserved: "2019-08-26T00:00:00", dateUpdated: "2024-08-05T00:49:13.635Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }