cve-2019-15580
Vulnerability from cvelistv5
Published
2019-12-18 20:59
Modified
2024-08-05 00:49
Severity
Summary
An information exposure vulnerability exists in gitlab.com <v12.3.2, <v12.2.6, and <v12.1.10 when using the blocking merge request feature, it was possible for an unauthenticated user to see the head pipeline data of a public project even though pipeline visibility was restricted.
References
SourceURLTags
support@hackerone.comhttps://hackerone.com/reports/667408Exploit, Third Party Advisory
Impacted products
VendorProduct
n/agitlab.com
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T00:49:13.790Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/667408"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "gitlab.com",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "12.3.2, 12.2.6, and 12.1.10"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An information exposure vulnerability exists in gitlab.com \u003cv12.3.2, \u003cv12.2.6, and \u003cv12.1.10 when using the blocking merge request feature, it was possible for an unauthenticated user to see the head pipeline data of a public project even though pipeline visibility was restricted."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-201",
              "description": "Information Exposure Through Sent Data (CWE-201)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-12-18T20:59:15",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hackerone.com/reports/667408"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "support@hackerone.com",
          "ID": "CVE-2019-15580",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "gitlab.com",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "12.3.2, 12.2.6, and 12.1.10"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An information exposure vulnerability exists in gitlab.com \u003cv12.3.2, \u003cv12.2.6, and \u003cv12.1.10 when using the blocking merge request feature, it was possible for an unauthenticated user to see the head pipeline data of a public project even though pipeline visibility was restricted."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Information Exposure Through Sent Data (CWE-201)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://hackerone.com/reports/667408",
              "refsource": "MISC",
              "url": "https://hackerone.com/reports/667408"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2019-15580",
    "datePublished": "2019-12-18T20:59:15",
    "dateReserved": "2019-08-26T00:00:00",
    "dateUpdated": "2024-08-05T00:49:13.790Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-15580\",\"sourceIdentifier\":\"support@hackerone.com\",\"published\":\"2019-12-18T21:15:11.977\",\"lastModified\":\"2019-12-27T00:07:55.323\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"An information exposure vulnerability exists in gitlab.com \u003cv12.3.2, \u003cv12.2.6, and \u003cv12.1.10 when using the blocking merge request feature, it was possible for an unauthenticated user to see the head pipeline data of a public project even though pipeline visibility was restricted.\"},{\"lang\":\"es\",\"value\":\"Se presenta una vulnerabilidad de exposici\u00f3n de informaci\u00f3n en gitlab.com versiones anteriores a v12.3.2, versiones anteriores a v12.2.6 y versiones anteriores a v12.1.10, cuando se utiliza el bloqueo de la funcionalidad de petici\u00f3n de fusion, era posible que un usuario no autenticado visualizara los datos de la tuber\u00eda principal de un proyecto p\u00fablico inclusive aunque la visibilidad de la tuber\u00eda estaba restringida.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:N/A:N\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":4.0},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]},{\"source\":\"support@hackerone.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-201\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*\",\"versionEndExcluding\":\"12.1.10\",\"matchCriteriaId\":\"AB2637E9-3EAC-4CC2-A614-E6BF2564484B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*\",\"versionEndExcluding\":\"12.1.10\",\"matchCriteriaId\":\"308ED5C4-D836-4541-A789-DD76A8C61EE5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*\",\"versionStartIncluding\":\"12.2.0\",\"versionEndExcluding\":\"12.2.6\",\"matchCriteriaId\":\"ABCEAA2E-75C8-426B-8EAA-52D3F78FB2A1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"12.2.0\",\"versionEndExcluding\":\"12.2.6\",\"matchCriteriaId\":\"AF5AC653-CE12-4759-B07A-04C20B9EBA7B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*\",\"versionStartIncluding\":\"12.3.0\",\"versionEndExcluding\":\"12.3.2\",\"matchCriteriaId\":\"5BB337AA-1FBB-4BEF-9652-F462CEC4BE71\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"12.3.0\",\"versionEndExcluding\":\"12.3.2\",\"matchCriteriaId\":\"DB3CF71C-AD05-4866-9629-0DB7E92775C2\"}]}]}],\"references\":[{\"url\":\"https://hackerone.com/reports/667408\",\"source\":\"support@hackerone.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.