ASA-2019-00215 – GitLab: Guest users of private projects have access to releases


Allele Security Alert

ASA-2019-00215

Identifier(s)

ASA-2019-00215, CVE-2019-10115

Title

Guest users of private projects have access to releases

Vendor(s)

GitLab

Product(s)

GitLab Community Edition (CE)
GitLab Enterprise Edition (EE)

Affected version(s)

Affects GitLab CE/EE 11.7 and later

Fixed version(s)

GitLab Community Edition (CE) and GitLab Enterprise Edition (EE) 11.9.4
GitLab Community Edition (CE) and GitLab Enterprise Edition (EE) 11.8.6
GitLab Community Edition (CE) and GitLab Enterprise Edition (EE) 11.7.10

Proof of concept

Unknown

Description

An authorization issue was discovered for the GitLab Releases feature which could allow guest users access to private information like release details.

Technical details

Unknown

Credits

xanbanx

Reference(s)

GitLab Security Release: 11.9.4, 11.8.6, and 11.7.10
https://about.gitlab.com/2019/04/01/security-release-gitlab-11-dot-9-dot-4-released/

CVE-2019-10115
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10115

CVE-2019-10115
https://nvd.nist.gov/vuln/detail/CVE-2019-10115

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: April 24, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.