Main Vulnerability Database Vulnerabilities #VU15576

Information disclosure in Gitlab Community Edition - CVE-2018-18645

Published: October 30, 2018

Vulnerability identifier: #VU15576

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-18645

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: GitLab, Inc

Affected software:
Gitlab Community Edition

Detailed vulnerability description

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to user's unsubscribe link can be included in the issue when replying to an issue through email, with the GitLab email footer included. A remote attacker can view arbitrary data.

How to mitigate CVE-2018-18645

The vulnerability has been fixed in the versions 11.4.3, 11.3.8, 11.2.7.

Sources

https://about.gitlab.com/2018/10/29/security-release-gitlab-11-dot-4-dot-3-released/

Information disclosure in Gitlab Community Edition - CVE-2018-18645

Detailed vulnerability description

How to mitigate CVE-2018-18645

Sources

Please verify you're human