CVE-2018-19585

HIGH

GitLab CE/EE <11.3.11-11.5.1 - CRLF Injection

Title source: llm

Description

GitLab CE/EE versions 8.18 up to 11.x before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1 have CRLF Injection in Project Mirroring when using the Git protocol.

Exploits (2)

exploitdb WORKING POC

by Norbert Hofmann · pythonwebappsruby

https://www.exploit-db.com/exploits/49334

View Code ZIP pw:eip

exploitdb WORKING POC

by Fortunato Lodari · pythonwebappsruby

https://www.exploit-db.com/exploits/49257

View Code ZIP pw:eip

References (4)

[Release Notes, Vendor Advisory] https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/

[Release Notes, Vendor Advisory] https://about.gitlab.com/blog/categories/releases/

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/160516/GitLab-11.4.7-Remote-Code-Execution.html

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/160699/GitLab-11.4.7-Remote-Code-Execution.html

Scores

CVSS v3 7.5

EPSS 0.1190

EPSS Percentile 93.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Classification

CWE

CWE-93

Status published

Affected Products (2)

gitlab/gitlab < 11.3.11

Timeline

Published May 17, 2019

Tracked Since Feb 18, 2026