CVE-2019-15590

An access control issue exists in < 12.3.5, < 12.2.8, and < 12.1.14 for GitLab Community Edition (CE) and Enterprise Edition (EE) where private merge requests and issues would be disclosed with the Group Search feature provided by Elasticsearch integration

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://about.gitlab.com/releases/2019/10/07/security-release-gitlab-12-dot-3-dot-5-released/	Vendor Advisory
https://hackerone.com/reports/701144	Permissions Required Third Party Advisory
https://about.gitlab.com/releases/2019/10/07/security-release-gitlab-12-dot-3-dot-5-released/	Vendor Advisory
https://hackerone.com/reports/701144	Permissions Required Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*

History

21 Nov 2024, 04:29

Type	Values Removed	Values Added
References	~~() https://about.gitlab.com/releases/2019/10/07/security-release-gitlab-12-dot-3-dot-5-released/ - Vendor Advisory~~	() https://about.gitlab.com/releases/2019/10/07/security-release-gitlab-12-dot-3-dot-5-released/ - Vendor Advisory
References	~~() https://hackerone.com/reports/701144 - Permissions Required, Third Party Advisory~~	() https://hackerone.com/reports/701144 - Permissions Required, Third Party Advisory

Information

Published : 2020-01-28 03:15

Updated : 2024-11-21 04:29

NVD link : CVE-2019-15590

Mitre link : CVE-2019-15590

CVE.ORG link : CVE-2019-15590

JSON object : View

Products Affected

gitlab

gitlab

CWE

CWE-284

Improper Access Control

NVD-CWE-Other

{"id": "CVE-2019-15590", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2020-01-28T03:15:10.717", "references": [{"url": "https://about.gitlab.com/releases/2019/10/07/security-release-gitlab-12-dot-3-dot-5-released/", "tags": ["Vendor Advisory"], "source": "support@hackerone.com"}, {"url": "https://hackerone.com/reports/701144", "tags": ["Permissions Required", "Third Party Advisory"], "source": "support@hackerone.com"}, {"url": "https://about.gitlab.com/releases/2019/10/07/security-release-gitlab-12-dot-3-dot-5-released/", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://hackerone.com/reports/701144", "tags": ["Permissions Required", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "support@hackerone.com", "description": [{"lang": "en", "value": "CWE-284"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "An access control issue exists in < 12.3.5, < 12.2.8, and < 12.1.14 for GitLab Community Edition (CE) and Enterprise Edition (EE) where private merge requests and issues would be disclosed with the Group Search feature provided by Elasticsearch integration"}, {"lang": "es", "value": "Se presenta un problema de control de acceso en versiones anteriores a 12.3.5, versiones anteriores a 12.2.8 y versiones anteriores a 12.1.14 para GitLab Community Edition (CE) y Enterprise Edition (EE), donde las peticiones y problemas de fusi\u00f3n privada ser\u00edan divulgados con la funcionalidad Group Search proporcionada por la integraci\u00f3n Elasticsearch."}], "lastModified": "2024-11-21T04:29:05.087", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "58179BD4-F1A3-4BF0-9CED-A3A26022E044", "versionEndExcluding": "12.1.14", "versionStartIncluding": "12.1.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "F63D9855-07A6-4498-A85C-53FF85EFB2B2", "versionEndExcluding": "12.1.14", "versionStartIncluding": "12.1.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "C48750EE-F01A-4EB6-A54D-FAA997A996B0", "versionEndExcluding": "12.2.8", "versionStartIncluding": "12.2.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "D02BA806-98A1-489D-8285-7E6591246714", "versionEndExcluding": "12.2.8", "versionStartIncluding": "12.2.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "74F9E3F7-91CD-4334-A789-C878BDD3BBFF", "versionEndExcluding": "12.3.5", "versionStartIncluding": "12.3.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "37B80747-1EBB-4906-B129-F3F73C0BE9B2", "versionEndExcluding": "12.3.5", "versionStartIncluding": "12.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "support@hackerone.com"}