CVE-2019-15580

Published: Dec 18, 2019Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

An information exposure vulnerability exists in gitlab.com <v12.3.2, <v12.2.6, and <v12.1.10 when using the blocking merge request feature, it was possible for an unauthenticated user to see the head pipeline data of a public project even though pipeline visibility was restricted.

Affected (6)

Products: Gitlab: Gitlab

Gitlab

1 product

Gitlab

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Gitlab Gitlab	Before 12.1.10
Gitlab Gitlab	From 12.2.0 to 12.2.6
Gitlab Gitlab	From 12.3.0 to 12.3.2
Gitlab Gitlab	Before 12.1.10
Gitlab Gitlab	From 12.2.0 to 12.2.6
Gitlab Gitlab	From 12.3.0 to 12.3.2

Related CWEs

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-201

Insertion of Sensitive Information Into Sent Data

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

References (2)

https://hackerone.com/reports/667408

Source: support@hackerone.com

ExploitThird Party Advisory

https://hackerone.com/reports/667408

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.