CVE-2019-15590 - OpenCVE

An access control issue exists in < 12.3.5, < 12.2.8, and < 12.1.14 for GitLab Community Edition (CE) and Enterprise Edition (EE) where private merge requests and issues would be disclosed with the Group Search feature provided by Elasticsearch integration

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Gitlab	Gitlab

Configuration 1 [-]

OR	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*

References

Link	Resource
https://about.gitlab.com/releases/2019/10/07/security-release-gitlab-12-dot-3-dot-5-released/	Vendor Advisory
https://hackerone.com/reports/701144	Permissions Required Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: hackerone

Published: 2020-01-28T02:31:05

Updated: 2020-01-28T02:31:05

Reserved: 2019-08-26T00:00:00

Link: CVE-2019-15590

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-01-28T03:15:10.717

Modified: 2021-11-02T19:16:05.343

Link: CVE-2019-15590

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "GitLab EE", "vendor": "GitLab", "versions": [{"status": "affected", "version": "before 12.3.5"}, {"status": "affected", "version": "before 12.2.8"}, {"status": "affected", "version": "before 12.1.14"}]}], "descriptions": [{"lang": "en", "value": "An access control issue exists in < 12.3.5, < 12.2.8, and < 12.1.14 for GitLab Community Edition (CE) and Enterprise Edition (EE) where private merge requests and issues would be disclosed with the Group Search feature provided by Elasticsearch integration"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "Improper Access Control - Generic (CWE-284)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-01-28T02:31:05", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/701144"}, {"tags": ["x_refsource_MISC"], "url": "https://about.gitlab.com/releases/2019/10/07/security-release-gitlab-12-dot-3-dot-5-released/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "ID": "CVE-2019-15590", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "GitLab EE", "version": {"version_data": [{"version_value": "before 12.3.5"}, {"version_value": "before 12.2.8"}, {"version_value": "before 12.1.14"}]}}]}, "vendor_name": "GitLab"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An access control issue exists in < 12.3.5, < 12.2.8, and < 12.1.14 for GitLab Community Edition (CE) and Enterprise Edition (EE) where private merge requests and issues would be disclosed with the Group Search feature provided by Elasticsearch integration"}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Access Control - Generic (CWE-284)"}]}]}, "references": {"reference_data": [{"name": "https://hackerone.com/reports/701144", "refsource": "MISC", "url": "https://hackerone.com/reports/701144"}, {"name": "https://about.gitlab.com/releases/2019/10/07/security-release-gitlab-12-dot-3-dot-5-released/", "refsource": "MISC", "url": "https://about.gitlab.com/releases/2019/10/07/security-release-gitlab-12-dot-3-dot-5-released/"}]}}}}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2019-15590", "datePublished": "2020-01-28T02:31:05", "dateReserved": "2019-08-26T00:00:00", "dateUpdated": "2020-01-28T02:31:05", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "58179BD4-F1A3-4BF0-9CED-A3A26022E044", "versionEndExcluding": "12.1.14", "versionStartIncluding": "12.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "F63D9855-07A6-4498-A85C-53FF85EFB2B2", "versionEndExcluding": "12.1.14", "versionStartIncluding": "12.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "C48750EE-F01A-4EB6-A54D-FAA997A996B0", "versionEndExcluding": "12.2.8", "versionStartIncluding": "12.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "D02BA806-98A1-489D-8285-7E6591246714", "versionEndExcluding": "12.2.8", "versionStartIncluding": "12.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "74F9E3F7-91CD-4334-A789-C878BDD3BBFF", "versionEndExcluding": "12.3.5", "versionStartIncluding": "12.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "37B80747-1EBB-4906-B129-F3F73C0BE9B2", "versionEndExcluding": "12.3.5", "versionStartIncluding": "12.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An access control issue exists in < 12.3.5, < 12.2.8, and < 12.1.14 for GitLab Community Edition (CE) and Enterprise Edition (EE) where private merge requests and issues would be disclosed with the Group Search feature provided by Elasticsearch integration"}, {"lang": "es", "value": "Se presenta un problema de control de acceso en versiones anteriores a 12.3.5, versiones anteriores a 12.2.8 y versiones anteriores a 12.1.14 para GitLab Community Edition (CE) y Enterprise Edition (EE), donde las peticiones y problemas de fusi\u00f3n privada ser\u00edan divulgados con la funcionalidad Group Search proporcionada por la integraci\u00f3n Elasticsearch."}], "id": "CVE-2019-15590", "lastModified": "2021-11-02T19:16:05.343", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-01-28T03:15:10.717", "references": [{"source": "support@hackerone.com", "tags": ["Vendor Advisory"], "url": "https://about.gitlab.com/releases/2019/10/07/security-release-gitlab-12-dot-3-dot-5-released/"}, {"source": "support@hackerone.com", "tags": ["Permissions Required", "Third Party Advisory"], "url": "https://hackerone.com/reports/701144"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "support@hackerone.com", "type": "Secondary"}]}