Vulnerability CVE-2019-15726

Vulnerability Name:

CVE-2019-15726 (CCN-167188)

Assigned:

2019-08-29

Published:

2019-08-29

Updated:

2021-07-21

Summary:

An issue was discovered in GitLab Community and Enterprise Edition through 12.2.1. Embedded images and media files in markdown could be pointed to an arbitrary server, which would reveal the IP address of clients requesting the file from that server.

CVSS v3 Severity:

5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
4.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-200

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2019-15726

Source: CCN
Type: GitLab Web site
GitLab Security Release: 12.2.3, 12.1.8, and 12.0.8

Source: CONFIRM
Type: Release Notes, Vendor Advisory
https://about.gitlab.com/2019/08/29/security-release-gitlab-12-dot-2-dot-3-released/

Source: XF
Type: UNKNOWN
gitlab-cve201915726-info-disc(167188)

Source: MISC
Type: Broken Link
https://gitlab.com/gitlab-org/gitlab-ce/issues/55115

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2019-15726

Vulnerable Configuration:

Configuration 1:

cpe:/a:gitlab:gitlab:*:*:*:*:community:*:*:* (Version >= 12.1.0 and < 12.1.8)

OR cpe:/a:gitlab:gitlab:*:*:*:*:community:*:*:* (Version >= 12.2.0 and < 12.2.3)

OR cpe:/a:gitlab:gitlab:*:*:*:*:community:*:*:* (Version < 12.0.8)

OR cpe:/a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* (Version < 12.0.8)

OR cpe:/a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* (Version >= 12.1.0 and < 12.1.8)

OR cpe:/a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* (Version >= 12.2.0 and < 12.2.3)

Configuration CCN 1:

cpe:/a:gitlab:gitlab:12.2.1:*:*:*:community:*:*:*

OR cpe:/a:gitlab:gitlab:12.2.1:*:*:*:enterprise:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.xenial:def:2019157260000000	V	CVE-2019-15726 on Ubuntu 16.04 LTS (xenial) - low.	2019-09-16

BACK