CVE-2019-19628

Published: Jan 5, 2020Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

In GitLab EE 11.3 through 12.5.3, 12.4.5, and 12.3.8, insufficient parameter sanitization for the Maven package registry could lead to privilege escalation and remote code execution vulnerabilities under certain conditions.

Affected (3)

Products: Gitlab: Gitlab

Gitlab

1 product

Gitlab

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Gitlab Gitlab	From 11.3.0 to 12.3.8
Gitlab Gitlab	From 12.4.0 to 12.4.5
Gitlab Gitlab	From 12.5.0 to 12.5.3

Related CWEs

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (4)

https://about.gitlab.com/blog/2019/12/10/critical-security-release-gitlab-12-5-4-released/

Source: cve@mitre.org

Vendor Advisory

https://about.gitlab.com/blog/categories/releases/

Source: cve@mitre.org

Release Notes

https://about.gitlab.com/blog/2019/12/10/critical-security-release-gitlab-12-5-4-released/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://about.gitlab.com/blog/categories/releases/

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

Timeline

No history available yet.