Rapid7 Vulnerability & Exploit Database

FreeBSD: VID-01BDE18A-2E09-11EA-A935-001B217B3468 (CVE-2019-20147): Gitlab -- Multiple Vulnerabilities

Back to Search

FreeBSD: VID-01BDE18A-2E09-11EA-A935-001B217B3468 (CVE-2019-20147): Gitlab -- Multiple Vulnerabilities

Severity
5
CVSS
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Published
01/02/2020
Created
01/07/2020
Added
01/04/2020
Modified
01/22/2020

Description

Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.

From VID-01BDE18A-2E09-11EA-A935-001B217B3468:

SO-AND-SO reports:

Group Maintainers Can Update/Delete Group Runners Using API

GraphQL Queries Can Hang the Application

Unauthorized Users Have Access to Milestones of Releases

Private Group Name Revealed Through Protected Tags API

Users Can Publish Reviews on Locked Merge Requests

DoS in the Issue and Commit Comments Pages

Project Name Disclosed Through Unsubscribe Link

Private Project Name Disclosed Through Notification Settings

Solution(s)

  • freebsd-upgrade-package-gitlab-ce

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;