Multiple vulnerabilities in GitLab, Gitlab Community Edition
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 14 |
| CVE-ID | CVE-2019-19255 CVE-2019-19256 CVE-2019-19257 CVE-2019-19258 CVE-2019-19259 CVE-2019-19260 CVE-2019-19261 CVE-2019-19309 CVE-2019-19310 CVE-2019-19086 CVE-2019-19087 CVE-2019-19088 CVE-2019-19254 CVE-2019-19311 |
| CWE-ID | CWE-284 CWE-918 CWE-522 CWE-200 CWE-22 CWE-79 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #2 is available. Public exploit code for vulnerability #3 is available. Public exploit code for vulnerability #4 is available. Public exploit code for vulnerability #6 is available. Public exploit code for vulnerability #8 is available. Public exploit code for vulnerability #13 is available. |
| Vulnerable software |
Gitlab Community Edition Universal components / Libraries / Software for developers |
| Vendor | GitLab, Inc |
Security Bulletin
This security bulletin contains information about 14 vulnerabilities.
1) Improper access control
EUVDB-ID: #VU30458
Risk: High
CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2019-19255
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to sensitive information.
The vulnerability exists due to improper access restrictions. A remote attacker can send a specially crafted request and gain unauthorized access to the affected application.
MitigationUpdate to version 12.5.1.
Vulnerable software versionsGitlab Community Edition: 12.3.0 - 12.5.0
CPE2.3- cpe:2.3:a:gitlab:gitlab:12.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:12.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:12.3.2:*:*:*:*:*:*:*
https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/
https://about.gitlab.com/blog/categories/releases/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Improper access control
EUVDB-ID: #VU30459
Risk: High
CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2019-19256
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to sensitive information.
The vulnerability exists due to improper access restrictions. A remote attacker can send a specially crafted request and gain unauthorized access to the affected application.
MitigationUpdate to version 12.5.1.
Vulnerable software versionsGitlab Community Edition: 12.2.0 - 12.5.0
CPE2.3- cpe:2.3:a:gitlab:gitlab:12.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:12.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:12.2.3:*:*:*:*:*:*:*
https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/
https://about.gitlab.com/blog/categories/releases/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
3) Improper access control
EUVDB-ID: #VU30460
Risk: High
CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2019-19257
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to sensitive information.
The vulnerability exists due to improper access restrictions. A remote attacker can send a specially crafted request and gain unauthorized access to the affected application.
MitigationUpdate to version 12.5.1.
Vulnerable software versionsGitlab Community Edition: 12.5.0
CPE2.3 External linkshttps://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/
https://about.gitlab.com/blog/categories/releases/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
4) Improper access control
EUVDB-ID: #VU30461
Risk: High
CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2019-19258
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to sensitive information.
The vulnerability exists due to improper access restrictions. A remote attacker can send a specially crafted request and gain unauthorized access to the affected application.
MitigationUpdate to version 12.5.1.
Vulnerable software versionsGitlab Community Edition: 10.8.0 - 12.5.0
CPE2.3- cpe:2.3:a:gitlab:gitlab:10.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:10.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:10.8.2:*:*:*:*:*:*:*
https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/
https://about.gitlab.com/blog/categories/releases/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
5) Authorization bypass through user-controlled key
EUVDB-ID: #VU30462
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-19259
CWE-ID: N/A
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to manipulate data.
GitLab Enterprise Edition (EE) 11.3 and later through 12.5 allows an Insecure Direct Object Reference (IDOR).
MitigationInstall update from vendor's website.
Vulnerable software versionsGitlab Community Edition: 11.3.0 - 12.5.0
CPE2.3- cpe:2.3:a:gitlab:gitlab:11.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:11.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:11.3.2:*:*:*:*:*:*:*
https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/
https://about.gitlab.com/blog/categories/releases/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Improper access control
EUVDB-ID: #VU30463
Risk: High
CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2019-19260
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to sensitive information.
The vulnerability exists due to improper access restrictions. A remote attacker can send a specially crafted request and gain unauthorized access to the affected application.
MitigationUpdate to version 12.5.1.
Vulnerable software versionsGitlab Community Edition: 12.5.0
CPE2.3 External linkshttps://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/
https://about.gitlab.com/blog/categories/releases/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
7) Server-Side Request Forgery (SSRF)
EUVDB-ID: #VU30464
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2019-19261
CWE-ID:
CWE-918 - Server-Side Request Forgery (SSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
GitLab Enterprise Edition (EE) 6.7 and later through 12.5 allows SSRF.
MitigationInstall update from vendor's website.
Vulnerable software versionsGitlab Community Edition: 6.7.0 - 12.5.0
CPE2.3- cpe:2.3:a:gitlab:gitlab:6.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:6.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:6.7.2:*:*:*:*:*:*:*
https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/
https://about.gitlab.com/blog/categories/releases/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Improper access control
EUVDB-ID: #VU30465
Risk: High
CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2019-19309
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to sensitive information.
The vulnerability exists due to improper access restrictions. A remote attacker can send a specially crafted request and gain unauthorized access to the affected application.
MitigationUpdate to version 12.5.1.
Vulnerable software versionsGitlab Community Edition: 12.5.0
CPE2.3 External linkshttps://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/
https://about.gitlab.com/blog/categories/releases/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
9) Insufficiently protected credentials
EUVDB-ID: #VU30466
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-19310
CWE-ID:
CWE-522 - Insufficiently Protected Credentials
Exploit availability: No
DescriptionThe vulnerability allows a remote privileged user to gain access to sensitive information.
GitLab Enterprise Edition (EE) 9.0 and later through 12.5 allows Information Disclosure.
MitigationInstall update from vendor's website.
Vulnerable software versionsGitlab Community Edition: 9.0.0 - 12.5.0
CPE2.3- cpe:2.3:a:gitlab:gitlab:9.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:9.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:9.0.2:*:*:*:*:*:*:*
https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/
https://about.gitlab.com/blog/categories/releases/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Information disclosure
EUVDB-ID: #VU30468
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-19086
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to gain access to sensitive information.
Gitlab Enterprise Edition (EE) before 12.5.1 has Insecure Permissions (issue 1 of 2).
MitigationInstall update from vendor's website.
Vulnerable software versionsGitlab Community Edition: 8.17.0 - 12.5.0
CPE2.3- cpe:2.3:a:gitlab:gitlab:8.17.0:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:8.17.1:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:8.17.2:*:*:*:*:*:*:*
https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/
https://about.gitlab.com/blog/categories/releases/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Information disclosure
EUVDB-ID: #VU30469
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-19087
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to gain access to sensitive information.
Gitlab Enterprise Edition (EE) before 12.5.1 has Insecure Permissions (issue 2 of 2).
MitigationInstall update from vendor's website.
Vulnerable software versionsGitlab Community Edition: 8.17.0 - 12.5.0
CPE2.3- cpe:2.3:a:gitlab:gitlab:8.17.0:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:8.17.1:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:8.17.2:*:*:*:*:*:*:*
https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/
https://about.gitlab.com/blog/categories/releases/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Path traversal
EUVDB-ID: #VU30470
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2019-19088
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Gitlab Enterprise Edition (EE) 11.3 through 12.4.2 allows Directory Traversal.
MitigationInstall update from vendor's website.
Vulnerable software versionsGitlab Community Edition: 11.3.0 - 12.5.0
CPE2.3- cpe:2.3:a:gitlab:gitlab:11.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:11.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:11.3.2:*:*:*:*:*:*:*
https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/
https://about.gitlab.com/blog/categories/releases/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Improper access control
EUVDB-ID: #VU30471
Risk: High
CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2019-19254
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to sensitive information.
The vulnerability exists due to improper access restrictions. A remote attacker can send a specially crafted request and gain unauthorized access to the affected application.
MitigationUpdate to version 12.5.1.
Vulnerable software versionsGitlab Community Edition: 12.5.0
CPE2.3 External linkshttps://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/
https://about.gitlab.com/blog/categories/releases/
https://gitlab.com/gitlab-org/gitlab/issues/12219
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
14) Cross-site scripting
EUVDB-ID: #VU30472
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-19311
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationUpdate to version 12.5.1.
Vulnerable software versionsGitlab Community Edition: 12.5.0
CPE2.3 External linkshttps://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/
https://about.gitlab.com/blog/categories/releases/
https://gitlab.com/gitlab-org/gitlab/issues/31536
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
