Main Vulnerability Database Vulnerabilities #VU23353

Improper Authorization in Gitlab Community Edition and GitLab Enterprise Edition - CVE-2019-18458

Published: December 3, 2019

Vulnerability identifier: #VU23353

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2019-18458

CWE-ID: CWE-285

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: GitLab, Inc

Affected software:
Gitlab Community Edition
GitLab Enterprise Edition

Detailed vulnerability description

The vulnerability allows an attacker to bypass authorization checks.

The vulnerability exists due to improper authorization checks for transfer projects to another group feature. A remote user with developer rights can move projects.

How to mitigate CVE-2019-18458

Install updates from vendor's website.

Sources

https://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/
https://about.gitlab.com/blog/categories/releases/

Improper Authorization in Gitlab Community Edition and GitLab Enterprise Edition - CVE-2019-18458

Detailed vulnerability description

How to mitigate CVE-2019-18458

Sources

Please verify you're human