A vulnerability was found in GitLab Community Edition and Enterprise Edition up to 11.1.6/11.2.3/11.3.0 (Bug Tracking Software). It has been rated as problematic. Affected by this issue is an unknown part of the component Events API. The manipulation with an unknown input leads to a resource injection vulnerability. Using CWE to declare the problem leads to CWE-99. The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. Impacted is confidentiality. CVE summarizes:

An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. Remote attackers could obtain sensitive information about issues, comments, and project titles via events API insecure direct object reference.

The weakness was shared 04/16/2023. The advisory is shared for download at about.gitlab.com. This vulnerability is handled as CVE-2018-17449 since 09/25/2018. There are neither technical details nor an exploit publicly available.

Upgrading to version 11.1.7, 11.2.4 or 11.3.1 eliminates this vulnerability. The upgrade is hosted for download at about.gitlab.com.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Type

• Bug Tracking Software

Vendor

• GitLab

Name

• Community Edition
• Enterprise Edition

Version

• 11.0
• 11.1
• 11.1.0
• 11.1.1
• 11.1.2
• 11.1.3
• 11.1.4
• 11.1.5
• 11.1.6
• 11.2
• 11.2.0
• 11.2.1
• 11.2.2
• 11.2.3
• 11.3.0

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion