CVE-2019-6996

Published Sep 9, 2019

Last updated 4 years ago

CVSS medium 4.3

Overview

Description: An issue was discovered in GitLab Enterprise Edition 10.x (starting in 10.6) and 11.x before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control. The merge request approvers section has an access control issue that permits project maintainers to view membership of private groups.
Source: cve@mitre.org
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 4.3
Impact score: 1.4
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Severity: MEDIUM

CVSS 2.0

Type: Primary
Base score: 4
Impact score: 2.9
Exploitability score: 8
Vector string: AV:N/AC:L/Au:S/C:P/I:N/A:N

Weaknesses

nvd@nist.gov: CWE-269

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "94907C86-15C5-4560-A1AF-01935D029F8A",
            "versionEndIncluding": "10.8.7",
            "versionStartIncluding": "10.6.0"
          },
          {
            "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0DF1771E-338F-4653-B333-B79201BBAD04",
            "versionEndIncluding": "10.8.7",
            "versionStartIncluding": "10.6.0"
          },
          {
            "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "FAC5BA5A-3493-4495-AD33-97CD61A04C59",
            "versionEndExcluding": "11.5.8",
            "versionStartIncluding": "11.0.0"
          },
          {
            "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B4FF27FC-A5B8-43DE-865C-60F7F2AE7F64",
            "versionEndExcluding": "11.5.8",
            "versionStartIncluding": "11.0.0"
          },
          {
            "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "794CA42E-5409-455B-956C-21BC431E0B98",
            "versionEndExcluding": "11.6.6",
            "versionStartIncluding": "11.6.0"
          },
          {
            "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "35A01A1A-A0F1-4952-B15A-A898FD185B3F",
            "versionEndExcluding": "11.6.6",
            "versionStartIncluding": "11.6.0"
          },
          {
            "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3BAE4B6C-8F1F-4C42-ADF9-A9CBD3895C68",
            "versionEndExcluding": "11.7.1",
            "versionStartIncluding": "11.7.0"
          },
          {
            "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3A67FE77-4048-41B8-8734-CA62393ED632",
            "versionEndExcluding": "11.7.1",
            "versionStartIncluding": "11.7.0"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

CVSS 2.0

Weaknesses

Social media

Configurations

References