CVE-2019-15591

MEDIUM

GitLab < 12.3.3 - Unauthenticated Improper Access Control via Merge Request Widget

Title source: llm
STIX 2.1

Description

An improper access control vulnerability exists in GitLab <12.3.3 that allows an attacker to obtain container and dependency scanning reports through the merge request widget even though public pipelines were disabled.

References (1)

Core 1
Core References
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/676976

Scores

CVSS v3 6.5
EPSS 0.0021
EPSS Percentile 43.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-284
Status published
Products (1)
gitlab/gitlab < 12.3.3 (2 CPE variants)
Published Dec 18, 2019
Tracked Since Feb 18, 2026