GitLab Community Edition/Enterprise Edition up to 12.1.9/12.2.5/12.3.1 Salesforce Login authentication bypass
CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
---|---|---|
7.4 | $0-$5k | 0.00 |
A vulnerability was found in GitLab Community Edition and Enterprise Edition up to 12.1.9/12.2.5/12.3.1 (Bug Tracking Software). It has been classified as critical. Affected is an unknown code block of the component Salesforce Login Handler. The manipulation with an unknown input leads to a authentication bypass vulnerability. CWE is classifying the issue as CWE-288. A product requires authentication, but the product has an alternate path or channel that does not require authentication. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:
A authentication bypass vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.10 in the Salesforce login integration that could be used by an attacker to create an account that bypassed domain restrictions and email verification requirements.
The weakness was released 12/18/2019. This vulnerability is traded as CVE-2019-5486 since 01/04/2019. The exploitability is told to be easy. It is possible to launch the attack remotely. The requirement for exploitation is a authentication. There are neither technical details nor an exploit publicly available.
Upgrading to version 12.1.10, 12.2.6 or 12.3.2 eliminates this vulnerability.
Entry connected to this vulnerability is available at 147515.
Product
Type
Vendor
Name
Version
- 12.1.0
- 12.1.1
- 12.1.2
- 12.1.3
- 12.1.4
- 12.1.5
- 12.1.6
- 12.1.7
- 12.1.8
- 12.1.9
- 12.2.0
- 12.2.1
- 12.2.2
- 12.2.3
- 12.2.4
- 12.2.5
- 12.3.0
- 12.3.1
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.5VulDB Meta Temp Score: 7.4
VulDB Base Score: 6.3
VulDB Temp Score: 6.0
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 8.8
NVD Vector: 🔍
CVSSv2
AV | AC | Au | C | I | A |
---|---|---|---|---|---|
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
---|---|---|---|---|---|
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Authentication bypassCWE: CWE-288 / CWE-287
ATT&CK: Unknown
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
0-Day | unlock | unlock | unlock | unlock |
---|---|---|---|---|
Today | unlock | unlock | unlock | unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: Community Edition/Enterprise Edition 12.1.10/12.2.6/12.3.2
Timeline
01/04/2019 🔍12/18/2019 🔍
12/20/2019 🔍
03/16/2024 🔍
Sources
Vendor: gitlab.comAdvisory: hackerone.com
Status: Not defined
CVE: CVE-2019-5486 (🔍)
See also: 🔍
Entry
Created: 12/20/2019 07:00Updated: 03/16/2024 06:54
Changes: 12/20/2019 07:00 (38), 12/20/2019 07:05 (18), 03/16/2024 06:54 (4)
Complete: 🔍
No comments yet. Languages: en.
Please log in to comment.