PT-2020-9320 · Gitlab · Gitlab Ce/Ee+1

Ashish_R_Padelkar

Published

2020-03-10

Updated

2020-08-24

CVE-2019-12434

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions: GitLab Community and Enterprise Edition versions 10.6 through 11.11

Description: An issue allows users to guess the URL slug of private projects through the contrast of the destination URLs of issues linked in comments, leading to Information Disclosure.

Recommendations: For GitLab Community and Enterprise Edition versions 10.6 through 11.11, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to issue links in comments to minimize the risk of exploitation.

Fix

Use of Insufficiently Random Values

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-330

Related Identifiers

CVE-2019-12434

Affected Products

Gitlab

Gitlab Ce/Ee

PT-2020-9320 · Gitlab · Gitlab Ce/Ee+1

CVE-2019-12434

Weakness Enumeration

Related Identifiers

Affected Products

References · 5