cve-2019-5469
Vulnerability from cvelistv5
Published
2019-12-18 20:59
Modified
2024-08-04 19:54
Severity
Summary
An IDOR vulnerability exists in GitLab <v12.1.2, <v12.0.4, and <v11.11.6 that allowed uploading files from project archive to replace other users files potentially allowing an attacker to replace project binaries or other uploaded assets.
References
Source | URL | Tags |
---|---|---|
support@hackerone.com | https://gitlab.com/gitlab-org/gitlab-ce/issues/60551 | Exploit, Vendor Advisory |
support@hackerone.com | https://hackerone.com/reports/534794 | Exploit, Issue Tracking, Third Party Advisory |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T19:54:53.479Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://hackerone.com/reports/534794" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/60551" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "GitLab", "vendor": "n/a", "versions": [ { "status": "affected", "version": "Fixed versions 12.1.2, 12.0.4, and 11.11.6" } ] } ], "descriptions": [ { "lang": "en", "value": "An IDOR vulnerability exists in GitLab \u003cv12.1.2, \u003cv12.0.4, and \u003cv11.11.6 that allowed uploading files from project archive to replace other users files potentially allowing an attacker to replace project binaries or other uploaded assets." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-639", "description": "Insecure Direct Object Reference (IDOR) (CWE-639)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2019-12-18T20:59:50", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://hackerone.com/reports/534794" }, { "tags": [ "x_refsource_MISC" ], "url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/60551" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "support@hackerone.com", "ID": "CVE-2019-5469", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "GitLab", "version": { "version_data": [ { "version_value": "Fixed versions 12.1.2, 12.0.4, and 11.11.6" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An IDOR vulnerability exists in GitLab \u003cv12.1.2, \u003cv12.0.4, and \u003cv11.11.6 that allowed uploading files from project archive to replace other users files potentially allowing an attacker to replace project binaries or other uploaded assets." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Insecure Direct Object Reference (IDOR) (CWE-639)" } ] } ] }, "references": { "reference_data": [ { "name": "https://hackerone.com/reports/534794", "refsource": "MISC", "url": "https://hackerone.com/reports/534794" }, { "name": "https://gitlab.com/gitlab-org/gitlab-ce/issues/60551", "refsource": "MISC", "url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/60551" } ] } } } }, "cveMetadata": { "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2019-5469", "datePublished": "2019-12-18T20:59:50", "dateReserved": "2019-01-04T00:00:00", "dateUpdated": "2024-08-04T19:54:53.479Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2019-5469\",\"sourceIdentifier\":\"support@hackerone.com\",\"published\":\"2019-12-18T21:15:14.303\",\"lastModified\":\"2019-12-27T15:37:04.060\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"An IDOR vulnerability exists in GitLab \u003cv12.1.2, \u003cv12.0.4, and \u003cv11.11.6 that allowed uploading files from project archive to replace other users files potentially allowing an attacker to replace project binaries or other uploaded assets.\"},{\"lang\":\"es\",\"value\":\"Se presenta una vulnerabilidad IDOR en GitLab versiones anteriores a v12.1.2, versiones anteriores a v12.0.4 y versiones anteriores a v11.11.6, que permiti\u00f3 cargar archivos desde el archivo del proyecto para reemplazar los archivos de otros usuarios, lo que permite potencialmente a un atacante reemplazar los binarios del proyecto u otros activos cargados.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:N/I:P/A:P\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\",\"baseScore\":5.5},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]},{\"source\":\"support@hackerone.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*\",\"versionStartIncluding\":\"11.11.0\",\"versionEndExcluding\":\"11.11.6\",\"matchCriteriaId\":\"470E2D2F-030A-49C2-AF61-DDC659EBFCC6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"11.11.0\",\"versionEndExcluding\":\"11.11.6\",\"matchCriteriaId\":\"5F241A58-C88E-4155-AF2B-7B852465558E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*\",\"versionStartIncluding\":\"12.0.0\",\"versionEndExcluding\":\"12.0.4\",\"matchCriteriaId\":\"62DEEA13-4D2C-436B-9780-983FC707DDF6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"12.0.0\",\"versionEndExcluding\":\"12.0.4\",\"matchCriteriaId\":\"595B584B-2A5C-44F6-AC4C-51ACF913C6C5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*\",\"versionStartIncluding\":\"12.1.0\",\"versionEndExcluding\":\"12.1.2\",\"matchCriteriaId\":\"99659BEC-15D0-4E75-BEBE-727FC32D9B35\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"12.1.0\",\"versionEndExcluding\":\"12.1.2\",\"matchCriteriaId\":\"D12A3A81-4A4F-441A-A820-F2D19B1A5C89\"}]}]}],\"references\":[{\"url\":\"https://gitlab.com/gitlab-org/gitlab-ce/issues/60551\",\"source\":\"support@hackerone.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://hackerone.com/reports/534794\",\"source\":\"support@hackerone.com\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Third Party Advisory\"]}]}}" } }
Loading...