CVE-2019-5466 - Vulnerability Details

Vendors	Products
Gitlab	Gitlab

Link	Providers
https://about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/
https://gitlab.com/gitlab-org/gitlab-ce/issues/59809
https://hackerone.com/reports/507113

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "GitLab CE/EE", "vendor": "n/a", "versions": [{"status": "affected", "version": "Affects GitLab CE/EE 11.5 and later"}, {"status": "affected", "version": "Fixed in 12.1.2 in 12.0.4 and in 11.11.6"}]}], "descriptions": [{"lang": "en", "value": "An IDOR was discovered in GitLab CE/EE 11.5 and later that allowed new merge requests endpoint to disclose label names."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "Insecure Direct Object Reference (IDOR) (CWE-639)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-01-28T02:39:28", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/"}, {"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/507113"}, {"tags": ["x_refsource_MISC"], "url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/59809"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "ID": "CVE-2019-5466", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "GitLab CE/EE", "version": {"version_data": [{"version_value": "Affects GitLab CE/EE 11.5 and later"}, {"version_value": "Fixed in 12.1.2 in 12.0.4 and in 11.11.6"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An IDOR was discovered in GitLab CE/EE 11.5 and later that allowed new merge requests endpoint to disclose label names."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Insecure Direct Object Reference (IDOR) (CWE-639)"}]}]}, "references": {"reference_data": [{"name": "https://about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/", "refsource": "MISC", "url": "https://about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/"}, {"name": "https://hackerone.com/reports/507113", "refsource": "MISC", "url": "https://hackerone.com/reports/507113"}, {"name": "https://gitlab.com/gitlab-org/gitlab-ce/issues/59809", "refsource": "MISC", "url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/59809"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T19:54:53.587Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hackerone.com/reports/507113"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/59809"}]}]}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2019-5466", "datePublished": "2020-01-28T02:39:28", "dateReserved": "2019-01-04T00:00:00", "dateUpdated": "2024-08-04T19:54:53.587Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : GitLab CE/EE (string)

vendor : n/a (string)

versions : [ »

0 : { »

status : affected (string)

version : Affects GitLab CE/EE 11.5 and later (string)

}

1 : { »

status : affected (string)

version : Fixed in 12.1.2 in 12.0.4 and in 11.11.6 (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : An IDOR was discovered in GitLab CE/EE 11.5 and later that allowed new merge requests endpoint to disclose label names. (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

cweId : CWE-639 (string)

description : Insecure Direct Object Reference (IDOR) (CWE-639) (string)

lang : en (string)

type : CWE (string)

}

]

}

]

providerMetadata : { »

dateUpdated : 2020-01-28T02:39:28 (string)

orgId : 36234546-b8fa-4601-9d6f-f4e334aa8ea1 (string)

shortName : hackerone (string)

}

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/ (string)

}

1 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://hackerone.com/reports/507113 (string)

}

2 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://gitlab.com/gitlab-org/gitlab-ce/issues/59809 (string)

}

]

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : support@hackerone.com (string)

ID : CVE-2019-5466 (string)

STATE : PUBLIC (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : GitLab CE/EE (string)

version : { »

version_data : [ »

0 : { »

version_value : Affects GitLab CE/EE 11.5 and later (string)

}

1 : { »

version_value : Fixed in 12.1.2 in 12.0.4 and in 11.11.6 (string)

}

]

}

]

}

vendor_name : n/a (string)

}

]

}

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : An IDOR was discovered in GitLab CE/EE 11.5 and later that allowed new merge requests endpoint to disclose label names. (string)

}

]

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : Insecure Direct Object Reference (IDOR) (CWE-639) (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : https://about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/ (string)

refsource : MISC (string)

url : https://about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/ (string)

}

1 : { »

name : https://hackerone.com/reports/507113 (string)

refsource : MISC (string)

url : https://hackerone.com/reports/507113 (string)

}

2 : { »

name : https://gitlab.com/gitlab-org/gitlab-ce/issues/59809 (string)

refsource : MISC (string)

url : https://gitlab.com/gitlab-org/gitlab-ce/issues/59809 (string)

}

]

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-04T19:54:53.587Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/ (string)

}

1 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://hackerone.com/reports/507113 (string)

}

2 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://gitlab.com/gitlab-org/gitlab-ce/issues/59809 (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : 36234546-b8fa-4601-9d6f-f4e334aa8ea1 (string)

assignerShortName : hackerone (string)

cveId : CVE-2019-5466 (string)

datePublished : 2020-01-28T02:39:28 (string)

dateReserved : 2019-01-04T00:00:00 (string)

dateUpdated : 2024-08-04T19:54:53.587Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "40E858BA-EF2A-403E-9C00-45DF0C5D0908", "versionEndExcluding": "11.11.7", "versionStartIncluding": "11.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "479BCD91-D442-4FB2-AA1F-CE61447781AE", "versionEndExcluding": "11.11.7", "versionStartIncluding": "11.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An IDOR was discovered in GitLab CE/EE 11.5 and later that allowed new merge requests endpoint to disclose label names."}, {"lang": "es", "value": "Se detect\u00f3 un IDOR en GitLab CE/EE versiones 11.5 y posteriores, que permit\u00eda nuevos endpoints de peticiones de fusi\u00f3n para revelar nombres de etiquetas."}], "id": "CVE-2019-5466", "lastModified": "2024-11-21T04:44:59.283", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-01-28T03:15:11.043", "references": [{"source": "support@hackerone.com", "tags": ["Patch", "Release Notes", "Vendor Advisory"], "url": "https://about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/"}, {"source": "support@hackerone.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/59809"}, {"source": "support@hackerone.com", "tags": ["Permissions Required"], "url": "https://hackerone.com/reports/507113"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Release Notes", "Vendor Advisory"], "url": "https://about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/59809"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required"], "url": "https://hackerone.com/reports/507113"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "support@hackerone.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-639"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* (string)

matchCriteriaId : 40E858BA-EF2A-403E-9C00-45DF0C5D0908 (string)

versionEndExcluding : 11.11.7 (string)

versionStartIncluding : 11.5.0 (string)

vulnerable : true (boolean)

}

1 : { »

criteria : cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* (string)

matchCriteriaId : 479BCD91-D442-4FB2-AA1F-CE61447781AE (string)

versionEndExcluding : 11.11.7 (string)

versionStartIncluding : 11.5.0 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : An IDOR was discovered in GitLab CE/EE 11.5 and later that allowed new merge requests endpoint to disclose label names. (string)

}

1 : { »

lang : es (string)

value : Se detectó un IDOR en GitLab CE/EE versiones 11.5 y posteriores, que permitía nuevos endpoints de peticiones de fusión para revelar nombres de etiquetas. (string)

}

]

id : CVE-2019-5466 (string)

lastModified : 2024-11-21T04:44:59.283 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : MEDIUM (string)

cvssData : { »

accessComplexity : LOW (string)

accessVector : NETWORK (string)

authentication : SINGLE (string)

availabilityImpact : NONE (string)

baseScore : 4 (number)

confidentialityImpact : PARTIAL (string)

integrityImpact : NONE (string)

vectorString : AV:N/AC:L/Au:S/C:P/I:N/A:N (string)

version : 2.0 (string)

}

exploitabilityScore : 8 (number)

impactScore : 2.9 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : false (boolean)

}

]

cvssMetricV31 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 4.3 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : LOW (string)

integrityImpact : NONE (string)

privilegesRequired : LOW (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (string)

version : 3.1 (string)

}

exploitabilityScore : 2.8 (number)

impactScore : 1.4 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2020-01-28T03:15:11.043 (string)

references : [ »

0 : { »

source : support@hackerone.com (string)

tags : [ »

0 : Patch (string)

1 : Release Notes (string)

2 : Vendor Advisory (string)

]

url : https://about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/ (string)

}

1 : { »

source : support@hackerone.com (string)

tags : [ »

0 : Exploit (string)

1 : Vendor Advisory (string)

]

url : https://gitlab.com/gitlab-org/gitlab-ce/issues/59809 (string)

}

2 : { »

source : support@hackerone.com (string)

tags : [ »

0 : Permissions Required (string)

]

url : https://hackerone.com/reports/507113 (string)

}

3 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Patch (string)

1 : Release Notes (string)

2 : Vendor Advisory (string)

]

url : https://about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/ (string)

}

4 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Exploit (string)

1 : Vendor Advisory (string)

]

url : https://gitlab.com/gitlab-org/gitlab-ce/issues/59809 (string)

}

5 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Permissions Required (string)

]

url : https://hackerone.com/reports/507113 (string)

}

]

sourceIdentifier : support@hackerone.com (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-639 (string)

}

]

source : support@hackerone.com (string)

type : Secondary (string)

}

1 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-639 (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object