CVE-2019-7155

An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control. A user retains their role within a project in a private group after being removed from the group, if their privileges within the project are different from the group.

CVSS v3 6.5 MEDIUM
CVSS v2.0 4.0 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector : AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://about.gitlab.com/2019/01/31/security-release-gitlab-11-dot-7-dot-3-released/	Vendor Advisory
https://gitlab.com/gitlab-org/gitlab-ce/issues/42726	Exploit Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*

History

No history.

Information

Published : 2019-04-16 22:29

Updated : 2024-02-28 17:08

NVD link : CVE-2019-7155

Mitre link : CVE-2019-7155

CVE.ORG link : CVE-2019-7155

JSON object : View

Products Affected

gitlab

gitlab

CWE

CWE-269

Improper Privilege Management

{"id": "CVE-2019-7155", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2019-04-16T22:29:00.733", "references": [{"url": "https://about.gitlab.com/2019/01/31/security-release-gitlab-11-dot-7-dot-3-released/", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/42726", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-269"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control. A user retains their role within a project in a private group after being removed from the group, if their privileges within the project are different from the group."}, {"lang": "es", "value": "Se detect\u00f3 un problema en GitLab Community and Enterprise Edition versiones 9.x, 10.x, y 11.x en versiones anteriores a la 11.5.8, 11.6.x en versiones anteriores a la 11.6.6, y 11.7.x en versiones anteriores a la 11.7.1. Presenta un control de acceso incorrecto. Un usuario conserva su rol dentro de un proyecto en un grupo privado despu\u00e9s de ser eliminado del grupo, si sus privilegios dentro del proyecto son diferentes del grupo."}], "lastModified": "2020-08-24T17:37:01.140", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "01FF5284-807E-47AB-A400-4A4384DFE735", "versionEndExcluding": "11.5.8", "versionStartIncluding": "9.0.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "C27A3343-2502-4B4A-9127-BF668B67050F", "versionEndExcluding": "11.5.8", "versionStartIncluding": "9.0.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "794CA42E-5409-455B-956C-21BC431E0B98", "versionEndExcluding": "11.6.6", "versionStartIncluding": "11.6.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "35A01A1A-A0F1-4952-B15A-A898FD185B3F", "versionEndExcluding": "11.6.6", "versionStartIncluding": "11.6.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "3BAE4B6C-8F1F-4C42-ADF9-A9CBD3895C68", "versionEndExcluding": "11.7.1", "versionStartIncluding": "11.7.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "3A67FE77-4048-41B8-8734-CA62393ED632", "versionEndExcluding": "11.7.1", "versionStartIncluding": "11.7.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}