PT-2020-10204 · Gitlab · Gitlab Ce/Ee+1

Published

2020-01-05

Updated

2021-07-21

CVE-2019-19629

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions GitLab EE versions 10.5 through 12.5.3 GitLab EE version 12.4.5 GitLab EE version 12.3.8

Description The issue allows private code to be disclosed via the Group Search API provided by the Elasticsearch integration when transferring a public project to a private group.

Recommendations For GitLab EE versions 10.5 through 12.5.3, consider restricting access to the Group Search API until a fix is available. For GitLab EE version 12.4.5, restrict the use of the Elasticsearch integration for private groups. For GitLab EE version 12.3.8, avoid using the Group Search API for sensitive projects until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2019-19629

Affected Products

Gitlab

Gitlab Ce/Ee

PT-2020-10204 · Gitlab · Gitlab Ce/Ee+1

CVE-2019-19629

Related Identifiers

Affected Products

References · 4