CVE-2019-15581

Summary

An IDOR exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a project owner or maintainer to see the members of any private group via merge request approval rules.

Affected Software

VendorProductVersion RangeStatus
GitLabGitLab EEbefore 12.3.2affected
GitLabGitLab EEbefore 12.2.6affected
GitLabGitLab EEbefore 12.1.12affected

Weaknesses

  • CWE-639: Insecure Direct Object Reference (IDOR) (CWE-639)

ADP Enrichment

CVE Program Container

Additional References

References