CVE-2018-19572

gitlab-org/gitlab-pages

on gitlab

Published

July 10, 2019

Severity

CVSS v3:

5.9 MEDIUM

CVSS v2:

4.3 MEDIUM

Description

GitLab CE 8.17 and later and EE 8.3 and later have a symlink time-of-check-to-time-of-use race condition that would allow unauthorized access to files in the GitLab Pages chroot environment. This is fixed in versions 11.5.1, 11.4.8, and 11.3.11.

References

https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/
https://gitlab.com/gitlab-org/gitlab-pages/issues/98

Configurations

CPE23	Version Start	Version End	Exact Version
cpe:2.3:a:gitlab:gitlab:::::enterprise:::*	8.3.0 (including)	11.3.11	*
cpe:2.3:a:gitlab:gitlab:::::community:::*	11.3.12 (including)	11.4.8	*
cpe:2.3:a:gitlab:gitlab:::::enterprise:::*	11.3.12 (including)	11.4.8	*
cpe:2.3:a:gitlab:gitlab:::::community:::*	11.4.9 (including)	11.5.1	*
cpe:2.3:a:gitlab:gitlab:::::enterprise:::*	11.4.9 (including)	11.5.1	*
cpe:2.3:a:gitlab:gitlab:::::community:::*	8.17.0 (including)	11.3.11	*

External Links

NVD - CVE-2018-19572