Vulnerability Details : CVE-2019-9756
Potential exploit
An issue was discovered in GitLab Community and Enterprise Edition 10.x (starting from 10.8) and 11.x before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control, a different vulnerability than CVE-2019-9732.
Products affected by CVE-2019-9756
- cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
- cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
- Gitlab » Gitlab » Enterprise EditionVersions from including (>=) 10.8.0 and up to, including, (<=) 10.8.7cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
- cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
- cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
- Gitlab » Gitlab » Community EditionVersions from including (>=) 10.8.0 and up to, including, (<=) 10.8.7cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-9756
0.78%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 81 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-9756
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2019-9756
-
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-9756
-
https://gitlab.com/gitlab-org/gitlab-ce/issues/54243
Add public/internal groups as members to your Project(IDOR) (#54243) · Issues · GitLab.org / GitLab Community Edition · GitLabExploit;Vendor Advisory
-
https://about.gitlab.com/2019/03/04/security-release-gitlab-11-dot-8-dot-1-released/
GitLab Security Release: 11.8.1, 11.7.6, and 11.6.10 | GitLabVendor Advisory
-
https://about.gitlab.com/blog/categories/releases/
Releases | GitLabProduct;Vendor Advisory
Jump to