A vulnerability was found in GitLab Community Edition and Enterprise Edition up to 12.2.1 (Bug Tracking Software). It has been declared as critical. This vulnerability affects an unknown code of the component Internal Endpoint. The manipulation with an unknown input leads to a permission assignment vulnerability. The CWE definition for the vulnerability is CWE-732. The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

An issue was discovered in GitLab Community and Enterprise Edition 10.8 through 12.2.1. An internal endpoint unintentionally allowed group maintainers to view and edit group runner settings.

The weakness was presented 09/16/2019 (Website). The advisory is available at about.gitlab.com. This vulnerability was named CVE-2019-15721 since 08/28/2019. The attack can be initiated remotely. A single authentication is needed for exploitation. The technical details are unknown and an exploit is not available.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

See VDB-141839, VDB-141840, VDB-141841 and VDB-141843 for similar entries. Once again VulDB remains the best source for vulnerability data.

Productinfo

Type

• Bug Tracking Software

Vendor

• GitLab

Name

• Community Edition
• Enterprise Edition

Version

• 12.2.0
• 12.2.1

License

• open-source

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion