Main Vulnerability Database Vulnerabilities #VU30993

Information disclosure in Gitlab Community Edition - CVE-2018-19582

Published: July 10, 2019 / Updated: July 17, 2020

Vulnerability identifier: #VU30993

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-19582

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: GitLab, Inc

Affected software:
Gitlab Community Edition

Detailed vulnerability description

The vulnerability allows a remote authenticated user to gain access to sensitive information.

GitLab EE, versions 11.4 before 11.4.8 and 11.5 before 11.5.1, is affected by an insecure direct object reference vulnerability that permits an unauthorized user to publish the draft merge request comments of another user.

How to mitigate CVE-2018-19582

Install update from vendor's website.

Sources

https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/
https://gitlab.com/gitlab-org/gitlab-ee/issues/8180

Information disclosure in Gitlab Community Edition - CVE-2018-19582

Detailed vulnerability description

How to mitigate CVE-2018-19582

Sources

Please verify you're human