Improper Authorization in Gitlab Community Edition and GitLab Enterprise Edition - CVE-2019-18457
Published: December 3, 2019
Vulnerability identifier: #VU23354
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-18457
CWE-ID: CWE-285
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: GitLab, Inc
Affected software:
Gitlab Community Edition
GitLab Enterprise Edition
Gitlab Community Edition
GitLab Enterprise Edition
Detailed vulnerability description
The vulnerability allows an attacker to bypass authorization checks.
The vulnerability exists due to improper authorization checks in the Sentry tokens handling. A demoted user can gain access to the affected system.
How to mitigate CVE-2019-18457
Install updates from vendor's website.