Code injection

2020-01-2803:15:00

PRIOn knowledge base

www.prio-n.com

4.3 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

34.4%

An IDOR was discovered in GitLab CE/EE 11.5 and later that allowed new merge requests endpoint to disclose label names.

CPENameOperatorVersion
gitlabge11.5.0
gitlablt11.11.7
gitlabge11.5.0
gitlablt11.11.7

Name	Operator	Version
gitlab	ge	11.5.0
gitlab	lt	11.11.7
gitlab	ge	11.5.0
gitlab	lt	11.11.7

References

about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/

gitlab.com/gitlab-org/gitlab-ce/issues/59809

hackerone.com/reports/507113